Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
mpXUd364Rz

Overview

General Information

Sample Name:mpXUd364Rz (renamed file extension from none to dll)
Analysis ID:595330
MD5:76a03b741a85be73b47b1a72cea1becb
SHA1:f453704ee0177d5771766870bc871e7c048a6c61
SHA256:7fb4c95a329b24e6ab6742747cf896ae5125599548d38388fcb887b3fb871339
Tags:Dridexexe
Infos:

Detection

Dridex
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Dridex unpacked file
Multi AV Scanner detection for submitted file
Benign windows process drops PE files
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes memory attributes in foreign processes to executable or writable
Machine Learning detection for sample
Queues an APC in another process (thread injection)
Sigma detected: Suspicious Call by Ordinal
Machine Learning detection for dropped file
Uses Atom Bombing / ProGate to inject into other processes
PE file contains section with special chars
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Queries the installation date of Windows
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Drops files with a non-matching file extension (content does not match file extension)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Found evasive API chain checking for process token information
Binary contains a suspicious time stamp
PE file contains more sections than normal
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • loaddll64.exe (PID: 864 cmdline: loaddll64.exe "C:\Users\user\Desktop\mpXUd364Rz.dll" MD5: 4E8A40CAD6CCC047914E3A7830A2D8AA)
    • cmd.exe (PID: 3892 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\mpXUd364Rz.dll",#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • rundll32.exe (PID: 5488 cmdline: rundll32.exe "C:\Users\user\Desktop\mpXUd364Rz.dll",#1 MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 5772 cmdline: rundll32.exe C:\Users\user\Desktop\mpXUd364Rz.dll,GetFileVersionInfoA MD5: 73C519F050C20580F8A62C849D49215A)
      • explorer.exe (PID: 3616 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • MDMAppInstaller.exe (PID: 6560 cmdline: C:\Windows\system32\MDMAppInstaller.exe MD5: E2C777B6E3CE4C15C5657429A63787A3)
        • MDMAppInstaller.exe (PID: 6568 cmdline: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe MD5: E2C777B6E3CE4C15C5657429A63787A3)
        • iexpress.exe (PID: 6676 cmdline: C:\Windows\system32\iexpress.exe MD5: 5EF563C2A4E7B7F4100ECD13B304FC48)
        • iexpress.exe (PID: 6732 cmdline: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exe MD5: 5EF563C2A4E7B7F4100ECD13B304FC48)
        • wextract.exe (PID: 6804 cmdline: C:\Windows\system32\wextract.exe MD5: ED93B350C8EEFC442758A00BC3EEDE2D)
        • wextract.exe (PID: 6812 cmdline: C:\Users\user\AppData\Local\xwE\wextract.exe MD5: ED93B350C8EEFC442758A00BC3EEDE2D)
        • SystemPropertiesAdvanced.exe (PID: 7000 cmdline: C:\Users\user\AppData\Local\pUTm\SystemPropertiesAdvanced.exe MD5: 82ED6250B9AA030DDC13DC075D2C16E3)
        • FileHistory.exe (PID: 7120 cmdline: C:\Windows\system32\FileHistory.exe MD5: 989B5BDB2BEAC9F894BBC236F1B67967)
        • FileHistory.exe (PID: 7132 cmdline: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe MD5: 989B5BDB2BEAC9F894BBC236F1B67967)
        • iexpress.exe (PID: 580 cmdline: C:\Windows\system32\iexpress.exe MD5: 5EF563C2A4E7B7F4100ECD13B304FC48)
        • iexpress.exe (PID: 3396 cmdline: C:\Users\user\AppData\Local\KGg\iexpress.exe MD5: 5EF563C2A4E7B7F4100ECD13B304FC48)
        • sppsvc.exe (PID: 1236 cmdline: C:\Windows\system32\sppsvc.exe MD5: FEEC8055C5986182C717DD888000AEF6)
        • sppsvc.exe (PID: 4452 cmdline: C:\Users\user\AppData\Local\4gdyz\sppsvc.exe MD5: FEEC8055C5986182C717DD888000AEF6)
        • InfDefaultInstall.exe (PID: 5136 cmdline: C:\Windows\system32\InfDefaultInstall.exe MD5: 5FDB30927E9D4387D777443BF865EEFD)
    • rundll32.exe (PID: 5420 cmdline: rundll32.exe C:\Users\user\Desktop\mpXUd364Rz.dll,GetFileVersionInfoByHandle MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 3676 cmdline: rundll32.exe C:\Users\user\Desktop\mpXUd364Rz.dll,GetFileVersionInfoExA MD5: 73C519F050C20580F8A62C849D49215A)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000001F.00000002.477016719.00007FFFF0DB1000.00000020.00000001.01000000.00000013.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
    00000024.00000002.560357001.00007FFFF6CC1000.00000020.00000001.01000000.00000018.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
      00000017.00000002.405019771.00007FFFEF941000.00000020.00000001.01000000.0000000D.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
        00000005.00000002.239061197.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
          00000028.00000002.595122213.00007FFFE31A1000.00000020.00000001.01000000.0000001B.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
            Click to see the 8 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            8.2.rundll32.exe.7fffe1fd0000.2.unpackJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
              31.2.FileHistory.exe.7ffff0db0000.3.unpackJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
                25.2.wextract.exe.7ffff6cc0000.3.unpackJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
                  9.2.rundll32.exe.7fffe1fd0000.2.unpackJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
                    33.2.iexpress.exe.7ffff0db0000.3.unpackJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
                      Click to see the 8 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: Suspicious Call by Ordinal
                      Source: Process startedAuthor: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\mpXUd364Rz.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\mpXUd364Rz.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\mpXUd364Rz.dll",#1, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 3892, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\mpXUd364Rz.dll",#1, ProcessId: 5488
                      Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\explorer.exe, ProcessId: 3616, TargetFilename: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Multi AV Scanner detection for submitted file
                      Source: mpXUd364Rz.dllVirustotal: Detection: 64%Perma Link
                      Source: mpXUd364Rz.dllMetadefender: Detection: 62%Perma Link
                      Source: mpXUd364Rz.dllReversingLabs: Detection: 88%
                      Antivirus / Scanner detection for submitted sample
                      Source: mpXUd364Rz.dllAvira: detected
                      Antivirus detection for dropped file
                      Source: C:\Users\user\AppData\Local\USNBng\WTSAPI32.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
                      Source: C:\Users\user\AppData\Local\SUX56B\UxTheme.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
                      Source: C:\Users\user\AppData\Local\E4DREUfrP\VERSION.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
                      Source: C:\Users\user\AppData\Local\lcdNfR\SYSDM.CPLAvira: detection malicious, Label: TR/Crypt.XPACK.Gen7
                      Source: C:\Users\user\AppData\Local\E4DREUfrP\VERSION.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
                      Source: C:\Users\user\AppData\Local\4gdyz\XmlLite.dllAvira: detection malicious, Label: TR/Crypt.XPACK.Gen7
                      Source: C:\Users\user\AppData\Local\4gdyz\XmlLite.dllAvira: detection malicious, Label: TR/Crypt.XPACK.Gen7
                      Source: C:\Users\user\AppData\Local\lcdNfR\SYSDM.CPLAvira: detection malicious, Label: TR/Crypt.XPACK.Gen7
                      Source: C:\Users\user\AppData\Local\E4DREUfrP\VERSION.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
                      Source: C:\Users\user\AppData\Local\tivYqgA\newdev.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
                      Machine Learning detection for sample
                      Source: mpXUd364Rz.dllJoe Sandbox ML: detected
                      Machine Learning detection for dropped file
                      Source: C:\Users\user\AppData\Local\USNBng\WTSAPI32.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\SUX56B\UxTheme.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\E4DREUfrP\VERSION.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\lcdNfR\SYSDM.CPLJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\E4DREUfrP\VERSION.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\4gdyz\XmlLite.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\4gdyz\XmlLite.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\lcdNfR\SYSDM.CPLJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\E4DREUfrP\VERSION.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\tivYqgA\newdev.dllJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FF77C19E934 CreateFileW,CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CloseHandle,CryptDestroyHash,??_V@YAXPEAX@Z,CryptReleaseContext,??3@YAXPEAX@Z,GetLastError,CryptGetHashParam,GetLastError,memset,CryptGetHashParam,GetLastError,20_2_00007FF77C19E934
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FF77C19E64C EnterCriticalSection,CryptAcquireContextW,CryptAcquireContextW,GetLastError,LeaveCriticalSection,CryptReleaseContext,memset,20_2_00007FF77C19E64C
                      Source: mpXUd364Rz.dllStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                      Source: Binary string: iexpress.pdbGCTL source: iexpress.exe, 00000017.00000000.381495000.00007FF700CE0000.00000002.00000001.01000000.0000000C.sdmp, iexpress.exe, 00000017.00000002.404968145.00007FF700CE0000.00000002.00000001.01000000.0000000C.sdmp, iexpress.exe, 00000021.00000000.482512095.00007FF6ECF70000.00000002.00000001.01000000.00000015.sdmp, iexpress.exe, 00000021.00000002.512158543.00007FF6ECF70000.00000002.00000001.01000000.00000015.sdmp
                      Source: Binary string: wextract.pdb source: wextract.exe, 00000019.00000000.410833636.00007FF78E559000.00000002.00000001.01000000.0000000E.sdmp, wextract.exe, 00000019.00000002.434355036.00007FF78E559000.00000002.00000001.01000000.0000000E.sdmp
                      Source: Binary string: mdmappinstaller.pdbGCTL source: MDMAppInstaller.exe, 00000014.00000002.369492137.00007FF77C1A5000.00000002.00000001.01000000.0000000A.sdmp, MDMAppInstaller.exe, 00000014.00000000.345833557.00007FF77C1A5000.00000002.00000001.01000000.0000000A.sdmp
                      Source: Binary string: wextract.pdbGCTL source: wextract.exe, 00000019.00000000.410833636.00007FF78E559000.00000002.00000001.01000000.0000000E.sdmp, wextract.exe, 00000019.00000002.434355036.00007FF78E559000.00000002.00000001.01000000.0000000E.sdmp
                      Source: Binary string: sppsvc.pdb source: sppsvc.exe, 00000024.00000000.519045806.00007FF74EE9B000.00000002.00000001.01000000.00000017.sdmp, sppsvc.exe, 00000024.00000002.559206083.00007FF74EE9B000.00000002.00000001.01000000.00000017.sdmp
                      Source: Binary string: SystemPropertiesComputerName.pdb source: SystemPropertiesComputerName.exe, 00000028.00000000.569829747.00007FF6726F2000.00000002.00000001.01000000.0000001A.sdmp, SystemPropertiesComputerName.exe, 00000028.00000002.595087283.00007FF6726F2000.00000002.00000001.01000000.0000001A.sdmp
                      Source: Binary string: SystemPropertiesAdvanced.pdb source: SystemPropertiesAdvanced.exe, 0000001D.00000000.439910859.00007FF773112000.00000002.00000001.01000000.00000010.sdmp, SystemPropertiesAdvanced.exe, 0000001D.00000002.467026056.00007FF773112000.00000002.00000001.01000000.00000010.sdmp
                      Source: Binary string: FileHistory.pdbGCTL source: FileHistory.exe, 0000001F.00000000.471907577.00007FF6F1249000.00000002.00000001.01000000.00000012.sdmp, FileHistory.exe, 0000001F.00000002.476813926.00007FF6F1249000.00000002.00000001.01000000.00000012.sdmp
                      Source: Binary string: sppsvc.pdbGCTL source: sppsvc.exe, 00000024.00000000.519045806.00007FF74EE9B000.00000002.00000001.01000000.00000017.sdmp, sppsvc.exe, 00000024.00000002.559206083.00007FF74EE9B000.00000002.00000001.01000000.00000017.sdmp
                      Source: Binary string: SystemPropertiesComputerName.pdbGCTL source: SystemPropertiesComputerName.exe, 00000028.00000000.569829747.00007FF6726F2000.00000002.00000001.01000000.0000001A.sdmp, SystemPropertiesComputerName.exe, 00000028.00000002.595087283.00007FF6726F2000.00000002.00000001.01000000.0000001A.sdmp
                      Source: Binary string: SystemPropertiesAdvanced.pdbGCTL source: SystemPropertiesAdvanced.exe, 0000001D.00000000.439910859.00007FF773112000.00000002.00000001.01000000.00000010.sdmp, SystemPropertiesAdvanced.exe, 0000001D.00000002.467026056.00007FF773112000.00000002.00000001.01000000.00000010.sdmp
                      Source: Binary string: mdmappinstaller.pdb source: MDMAppInstaller.exe, 00000014.00000002.369492137.00007FF77C1A5000.00000002.00000001.01000000.0000000A.sdmp, MDMAppInstaller.exe, 00000014.00000000.345833557.00007FF77C1A5000.00000002.00000001.01000000.0000000A.sdmp
                      Source: Binary string: iexpress.pdb source: iexpress.exe, 00000017.00000000.381495000.00007FF700CE0000.00000002.00000001.01000000.0000000C.sdmp, iexpress.exe, 00000017.00000002.404968145.00007FF700CE0000.00000002.00000001.01000000.0000000C.sdmp, iexpress.exe, 00000021.00000000.482512095.00007FF6ECF70000.00000002.00000001.01000000.00000015.sdmp, iexpress.exe, 00000021.00000002.512158543.00007FF6ECF70000.00000002.00000001.01000000.00000015.sdmp
                      Source: Binary string: FileHistory.pdb source: FileHistory.exe, 0000001F.00000000.471907577.00007FF6F1249000.00000002.00000001.01000000.00000012.sdmp, FileHistory.exe, 0000001F.00000002.476813926.00007FF6F1249000.00000002.00000001.01000000.00000012.sdmp
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE202ED10 FindFirstFileExW,1_2_00007FFFE202ED10
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF99ED10 FindFirstFileExW,20_2_00007FFFEF99ED10
                      Source: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exeCode function: 23_2_00007FF700CD5A08 LoadStringA,CopyFileA,GetLastError,FormatMessageA,SetFileAttributesA,SetLastError,GetUserDefaultUILanguage,FindFirstFileA,FindClose,CreateFileA,LocalAlloc,ReadFile,CloseHandle,LocalFree,LocalFree,FindFirstFileA,FindClose,CreateFileA,LocalAlloc,ReadFile,CloseHandle,LocalFree,memset,LocalAlloc,FindFirstFileA,FindClose,LocalFree,SetLastError,GlobalLock,GlobalUnlock,GlobalFree,GlobalLock,GlobalUnlock,GlobalFree,GlobalAlloc,GlobalLock,GlobalUnlock,GlobalUnlock,SetLastError,DeleteFileA,23_2_00007FF700CD5A08
                      Source: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exeCode function: 23_2_00007FF700CD2164 FindFirstFileA,FindClose,23_2_00007FF700CD2164
                      Source: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exeCode function: 23_2_00007FF700CD5518 LoadStringA,CompareStringA,GetModuleFileNameA,CharNextA,GetFileAttributesA,LocalAlloc,memset,CreateProcessA,CloseHandle,DispatchMessageA,PeekMessageA,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle,GetLastError,FormatMessageA,LocalFree,FindFirstFileA,FindClose,CreateFileA,LocalAlloc,ReadFile,CloseHandle,LocalFree,DeleteFileA,DeleteFileA,DeleteFileA,23_2_00007FF700CD5518
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FF78E551EC0 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,25_2_00007FF78E551EC0
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D1ED10 FindFirstFileExW,25_2_00007FFFF6D1ED10
                      Source: sppsvc.exe, 00000024.00000000.519045806.00007FF74EE9B000.00000002.00000001.01000000.00000017.sdmp, sppsvc.exe, 00000024.00000002.559206083.00007FF74EE9B000.00000002.00000001.01000000.00000017.sdmpString found in binary or memory: http://xml.org/sax/properties/lexical-handler&<>"'SelectionLanguageXPathSelectio

                      E-Banking Fraud

                      barindex
                      Yara detected Dridex unpacked file
                      Source: Yara matchFile source: 8.2.rundll32.exe.7fffe1fd0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.FileHistory.exe.7ffff0db0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 25.2.wextract.exe.7ffff6cc0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.7fffe1fd0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 33.2.iexpress.exe.7ffff0db0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.2.iexpress.exe.7fffef940000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.7fffe1fd0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.MDMAppInstaller.exe.7fffef940000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 36.2.sppsvc.exe.7ffff6cc0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 40.2.SystemPropertiesComputerName.exe.7fffe31a0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 29.2.SystemPropertiesAdvanced.exe.7ffff6cc0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.loaddll64.exe.7fffe1fd0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.7fffe1fd0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000001F.00000002.477016719.00007FFFF0DB1000.00000020.00000001.01000000.00000013.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000024.00000002.560357001.00007FFFF6CC1000.00000020.00000001.01000000.00000018.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000002.405019771.00007FFFEF941000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.239061197.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000028.00000002.595122213.00007FFFE31A1000.00000020.00000001.01000000.0000001B.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.246338634.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.336980954.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000021.00000002.512237394.00007FFFF0DB1000.00000020.00000001.01000000.00000016.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.369557700.00007FFFEF941000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000002.434475222.00007FFFF6CC1000.00000020.00000001.01000000.0000000F.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001D.00000002.467061353.00007FFFF6CC1000.00000020.00000001.01000000.00000011.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.253527112.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY

                      System Summary

                      barindex
                      PE file contains section with special chars
                      Source: sppsvc.exe.6.drStatic PE information: section name: ?g_Encry
                      Source: sppsvc.exe.6.drStatic PE information: section name: ?g_Encry
                      Source: sppsvc.exe.6.drStatic PE information: section name: ?g_Encry
                      Source: sppsvc.exe.6.drStatic PE information: section name: ?g_Encry
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FF78E55297C GetVersion,GetModuleHandleW,GetProcAddress,ExitWindowsEx,CloseHandle,25_2_00007FF78E55297C
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FF78E551B10 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,25_2_00007FF78E551B10
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE201CA501_2_00007FFFE201CA50
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE200AA701_2_00007FFFE200AA70
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE201A2C01_2_00007FFFE201A2C0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE20050201_2_00007FFFE2005020
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FF78801_2_00007FFFE1FF7880
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE20231501_2_00007FFFE2023150
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE20059F01_2_00007FFFE20059F0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE20376501_2_00007FFFE2037650
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE20197D01_2_00007FFFE20197D0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE203D5201_2_00007FFFE203D520
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE202DDC01_2_00007FFFE202DDC0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE200B2501_2_00007FFFE200B250
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FD7A401_2_00007FFFE1FD7A40
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE203B2601_2_00007FFFE203B260
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FFDAA01_2_00007FFFE1FFDAA0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE20382A01_2_00007FFFE20382A0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE203AAA01_2_00007FFFE203AAA0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FF92C01_2_00007FFFE1FF92C0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE202F2C01_2_00007FFFE202F2C0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE2037AF01_2_00007FFFE2037AF0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FF82E01_2_00007FFFE1FF82E0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE200BAE01_2_00007FFFE200BAE0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE2032AE01_2_00007FFFE2032AE0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE20003001_2_00007FFFE2000300
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FFA3101_2_00007FFFE1FFA310
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FDBB201_2_00007FFFE1FDBB20
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE2001B301_2_00007FFFE2001B30
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE2035B501_2_00007FFFE2035B50
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FF33401_2_00007FFFE1FF3340
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FE83401_2_00007FFFE1FE8340
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FD53501_2_00007FFFE1FD5350
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE20043601_2_00007FFFE2004360
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE20343901_2_00007FFFE2034390
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE2024BC01_2_00007FFFE2024BC0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FE23F01_2_00007FFFE1FE23F0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE20394101_2_00007FFFE2039410
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE203E4001_2_00007FFFE203E400
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FE74101_2_00007FFFE1FE7410
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE20000201_2_00007FFFE2000020
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FFC0301_2_00007FFFE1FFC030
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE20258401_2_00007FFFE2025840
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FF50501_2_00007FFFE1FF5050
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE201F8701_2_00007FFFE201F870
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE200F8701_2_00007FFFE200F870
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FED8901_2_00007FFFE1FED890
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FE08B01_2_00007FFFE1FE08B0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FD18D01_2_00007FFFE1FD18D0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FDB1001_2_00007FFFE1FDB100
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FEE1101_2_00007FFFE1FEE110
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FF39101_2_00007FFFE1FF3910
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE20061301_2_00007FFFE2006130
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE20369501_2_00007FFFE2036950
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FF41401_2_00007FFFE1FF4140
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE203B9601_2_00007FFFE203B960
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE20099901_2_00007FFFE2009990
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FD29801_2_00007FFFE1FD2980
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FFE9A01_2_00007FFFE1FFE9A0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FEE9B01_2_00007FFFE1FEE9B0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FF11B01_2_00007FFFE1FF11B0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FF69C01_2_00007FFFE1FF69C0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE20021D01_2_00007FFFE20021D0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE20091F01_2_00007FFFE20091F0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE20089F01_2_00007FFFE20089F0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FFF1F01_2_00007FFFE1FFF1F0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FDDE201_2_00007FFFE1FDDE20
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FD16201_2_00007FFFE1FD1620
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE20206501_2_00007FFFE2020650
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FE86701_2_00007FFFE1FE8670
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FD7E801_2_00007FFFE1FD7E80
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FD6E901_2_00007FFFE1FD6E90
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE203A6B01_2_00007FFFE203A6B0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE20006A01_2_00007FFFE20006A0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FFF6B01_2_00007FFFE1FFF6B0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE2037EC01_2_00007FFFE2037EC0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE2030F301_2_00007FFFE2030F30
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FF872B1_2_00007FFFE1FF872B
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FF2F501_2_00007FFFE1FF2F50
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE20307701_2_00007FFFE2030770
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE20357601_2_00007FFFE2035760
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FEE7701_2_00007FFFE1FEE770
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE203C7801_2_00007FFFE203C780
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE204EF801_2_00007FFFE204EF80
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FD67901_2_00007FFFE1FD6790
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE204B7A01_2_00007FFFE204B7A0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FFE7B01_2_00007FFFE1FFE7B0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FE8FC01_2_00007FFFE1FE8FC0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FEA7D01_2_00007FFFE1FEA7D0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE2044FF01_2_00007FFFE2044FF0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FF6FE01_2_00007FFFE1FF6FE0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FF48001_2_00007FFFE1FF4800
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FD10101_2_00007FFFE1FD1010
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FE54201_2_00007FFFE1FE5420
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FD5C201_2_00007FFFE1FD5C20
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE203A4901_2_00007FFFE203A490
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE203E4941_2_00007FFFE203E494
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE203E49D1_2_00007FFFE203E49D
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FFAC801_2_00007FFFE1FFAC80
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE203E48B1_2_00007FFFE203E48B
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE203E4B61_2_00007FFFE203E4B6
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE2032CA01_2_00007FFFE2032CA0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE203E4A61_2_00007FFFE203E4A6
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE203E4AD1_2_00007FFFE203E4AD
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FE3CD01_2_00007FFFE1FE3CD0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE2005CD01_2_00007FFFE2005CD0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE2003CF01_2_00007FFFE2003CF0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE2000D101_2_00007FFFE2000D10
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE2001D301_2_00007FFFE2001D30
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FFD5501_2_00007FFFE1FFD550
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FF3D501_2_00007FFFE1FF3D50
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FE9D701_2_00007FFFE1FE9D70
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FDC5A01_2_00007FFFE1FDC5A0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE20025C01_2_00007FFFE20025C0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FE95C01_2_00007FFFE1FE95C0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FE65E01_2_00007FFFE1FE65E0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE2002E101_2_00007FFFE2002E10
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE1FF36101_2_00007FFFE1FF3610
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FF77C19E93420_2_00007FF77C19E934
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FF77C1A19D420_2_00007FF77C1A19D4
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FF77C1A49FF20_2_00007FF77C1A49FF
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FF77C19464820_2_00007FF77C194648
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FF77C19963020_2_00007FF77C199630
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FF77C193FAC20_2_00007FF77C193FAC
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FF77C196BDC20_2_00007FF77C196BDC
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9897D020_2_00007FFFEF9897D0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9A765020_2_00007FFFEF9A7650
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF99DDC020_2_00007FFFEF99DDC0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9AD52020_2_00007FFFEF9AD520
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF975CD020_2_00007FFFEF975CD0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF98A2C020_2_00007FFFEF98A2C0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF97BAE020_2_00007FFFEF97BAE0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF98CA5020_2_00007FFFEF98CA50
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF97AA7020_2_00007FFFEF97AA70
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9759F020_2_00007FFFEF9759F0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF99315020_2_00007FFFEF993150
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF97502020_2_00007FFFEF975020
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF96788020_2_00007FFFEF967880
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF958FC020_2_00007FFFEF958FC0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF95A7D020_2_00007FFFEF95A7D0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9BB7A020_2_00007FFFEF9BB7A0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF96E7B020_2_00007FFFEF96E7B0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF96480020_2_00007FFFEF964800
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF94101020_2_00007FFFEF941010
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF966FE020_2_00007FFFEF966FE0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9B4FF020_2_00007FFFEF9B4FF0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF962F5020_2_00007FFFEF962F50
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF96872B20_2_00007FFFEF96872B
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9A0F3020_2_00007FFFEF9A0F30
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9BEF8020_2_00007FFFEF9BEF80
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9AC78020_2_00007FFFEF9AC780
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF94679020_2_00007FFFEF946790
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9A576020_2_00007FFFEF9A5760
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF95E77020_2_00007FFFEF95E770
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9A077020_2_00007FFFEF9A0770
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9BBF6F20_2_00007FFFEF9BBF6F
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9A7EC020_2_00007FFFEF9A7EC0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9706A020_2_00007FFFEF9706A0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF96F6B020_2_00007FFFEF96F6B0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9AA6B020_2_00007FFFEF9AA6B0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF99065020_2_00007FFFEF990650
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF94162020_2_00007FFFEF941620
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF94DE2020_2_00007FFFEF94DE20
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF947E8020_2_00007FFFEF947E80
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF946E9020_2_00007FFFEF946E90
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF95867020_2_00007FFFEF958670
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9595C020_2_00007FFFEF9595C0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9725C020_2_00007FFFEF9725C0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF94C5A020_2_00007FFFEF94C5A0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF96361020_2_00007FFFEF963610
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF972E1020_2_00007FFFEF972E10
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9565E020_2_00007FFFEF9565E0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF963D5020_2_00007FFFEF963D50
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF96D55020_2_00007FFFEF96D550
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF998D2020_2_00007FFFEF998D20
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF971D3020_2_00007FFFEF971D30
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9BC59020_2_00007FFFEF9BC590
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF959D7020_2_00007FFFEF959D70
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF953CD020_2_00007FFFEF953CD0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9AE4AD20_2_00007FFFEF9AE4AD
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9A2CA020_2_00007FFFEF9A2CA0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9AE4A620_2_00007FFFEF9AE4A6
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9AE4B620_2_00007FFFEF9AE4B6
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF970D1020_2_00007FFFEF970D10
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF973CF020_2_00007FFFEF973CF0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF945C2020_2_00007FFFEF945C20
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF95542020_2_00007FFFEF955420
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9AE48B20_2_00007FFFEF9AE48B
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF96AC8020_2_00007FFFEF96AC80
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9AE49D20_2_00007FFFEF9AE49D
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9AA49020_2_00007FFFEF9AA490
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9AE49420_2_00007FFFEF9AE494
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF994BC020_2_00007FFFEF994BC0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9BFC0020_2_00007FFFEF9BFC00
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9AE40020_2_00007FFFEF9AE400
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF95741020_2_00007FFFEF957410
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9A941020_2_00007FFFEF9A9410
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9523F020_2_00007FFFEF9523F0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF96334020_2_00007FFFEF963340
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF95834020_2_00007FFFEF958340
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF94535020_2_00007FFFEF945350
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9A5B5020_2_00007FFFEF9A5B50
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF94BB2020_2_00007FFFEF94BB20
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF971B3020_2_00007FFFEF971B30
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9A439020_2_00007FFFEF9A4390
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF97436020_2_00007FFFEF974360
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9692C020_2_00007FFFEF9692C0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF99F2C020_2_00007FFFEF99F2C0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9922C020_2_00007FFFEF9922C0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF96DAA020_2_00007FFFEF96DAA0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9A82A020_2_00007FFFEF9A82A0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9AAAA020_2_00007FFFEF9AAAA0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF97030020_2_00007FFFEF970300
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF96A31020_2_00007FFFEF96A310
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9682E020_2_00007FFFEF9682E0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9A2AE020_2_00007FFFEF9A2AE0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9A7AF020_2_00007FFFEF9A7AF0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF947A4020_2_00007FFFEF947A40
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF97B25020_2_00007FFFEF97B250
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9AB26020_2_00007FFFEF9AB260
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9669C020_2_00007FFFEF9669C0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9721D020_2_00007FFFEF9721D0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF96E9A020_2_00007FFFEF96E9A0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF95E9B020_2_00007FFFEF95E9B0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9611B020_2_00007FFFEF9611B0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9791F020_2_00007FFFEF9791F0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9789F020_2_00007FFFEF9789F0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF96F1F020_2_00007FFFEF96F1F0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF96414020_2_00007FFFEF964140
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9A695020_2_00007FFFEF9A6950
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF97613020_2_00007FFFEF976130
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF94298020_2_00007FFFEF942980
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF97999020_2_00007FFFEF979990
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9AB96020_2_00007FFFEF9AB960
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9418D020_2_00007FFFEF9418D0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9508B020_2_00007FFFEF9508B0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9BC8B120_2_00007FFFEF9BC8B1
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF94B10020_2_00007FFFEF94B100
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF95E11020_2_00007FFFEF95E110
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF96391020_2_00007FFFEF963910
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9BC0EB20_2_00007FFFEF9BC0EB
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF99584020_2_00007FFFEF995840
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF96505020_2_00007FFFEF965050
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF97002020_2_00007FFFEF970020
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9C082020_2_00007FFFEF9C0820
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF96C03020_2_00007FFFEF96C030
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF95D89020_2_00007FFFEF95D890
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF97F87020_2_00007FFFEF97F870
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF98F87020_2_00007FFFEF98F870
                      Source: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exeCode function: 23_2_00007FF700CD3AEC23_2_00007FF700CD3AEC
                      Source: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exeCode function: 23_2_00007FF700CD2D1423_2_00007FF700CD2D14
                      Source: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exeCode function: 23_2_00007FF700CD5A0823_2_00007FF700CD5A08
                      Source: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exeCode function: 23_2_00007FF700CD16FC23_2_00007FF700CD16FC
                      Source: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exeCode function: 23_2_00007FF700CD47B023_2_00007FF700CD47B0
                      Source: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exeCode function: 23_2_00007FF700CDB0D023_2_00007FF700CDB0D0
                      Source: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exeCode function: 23_2_00007FF700CD18D023_2_00007FF700CD18D0
                      Source: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exeCode function: 23_2_00007FF700CD14BC23_2_00007FF700CD14BC
                      Source: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exeCode function: 23_2_00007FF700CD9F6C23_2_00007FF700CD9F6C
                      Source: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exeCode function: 23_2_00007FF700CD9D2823_2_00007FF700CD9D28
                      Source: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exeCode function: 23_2_00007FF700CD551823_2_00007FF700CD5518
                      Source: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exeCode function: 23_2_00007FF700CD824423_2_00007FF700CD8244
                      Source: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exeCode function: 23_2_00007FF700CD344023_2_00007FF700CD3440
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FF78E553D6425_2_00007FF78E553D64
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FF78E55641825_2_00007FF78E556418
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FF78E551C0025_2_00007FF78E551C00
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FF78E55331025_2_00007FF78E553310
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FF78E551B1025_2_00007FF78E551B10
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FF78E5557D025_2_00007FF78E5557D0
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FF78E555E9825_2_00007FF78E555E98
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FF78E552AB425_2_00007FF78E552AB4
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D2765025_2_00007FFFF6D27650
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D097D025_2_00007FFFF6D097D0
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CF5CD025_2_00007FFFF6CF5CD0
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D1DDC025_2_00007FFFF6D1DDC0
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D2D52025_2_00007FFFF6D2D520
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CFBAE025_2_00007FFFF6CFBAE0
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D0A2C025_2_00007FFFF6D0A2C0
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CFAA7025_2_00007FFFF6CFAA70
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D0CA5025_2_00007FFFF6D0CA50
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CE788025_2_00007FFFF6CE7880
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CF502025_2_00007FFFF6CF5020
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CF59F025_2_00007FFFF6CF59F0
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D1315025_2_00007FFFF6D13150
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D27EC025_2_00007FFFF6D27EC0
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CEF6B025_2_00007FFFF6CEF6B0
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CF06A025_2_00007FFFF6CF06A0
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D2A6B025_2_00007FFFF6D2A6B0
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CD867025_2_00007FFFF6CD8670
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CC6E9025_2_00007FFFF6CC6E90
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CC7E8025_2_00007FFFF6CC7E80
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D1065025_2_00007FFFF6D10650
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CC162025_2_00007FFFF6CC1620
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CCDE2025_2_00007FFFF6CCDE20
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CE6FE025_2_00007FFFF6CE6FE0
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CC101025_2_00007FFFF6CC1010
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D34FF025_2_00007FFFF6D34FF0
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CE480025_2_00007FFFF6CE4800
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CEE7B025_2_00007FFFF6CEE7B0
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D3B7A025_2_00007FFFF6D3B7A0
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CDA7D025_2_00007FFFF6CDA7D0
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CD8FC025_2_00007FFFF6CD8FC0
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D3EF8025_2_00007FFFF6D3EF80
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D2C78025_2_00007FFFF6D2C780
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CDE77025_2_00007FFFF6CDE770
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D2576025_2_00007FFFF6D25760
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CC679025_2_00007FFFF6CC6790
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D2077025_2_00007FFFF6D20770
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D3BF6F25_2_00007FFFF6D3BF6F
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CE872B25_2_00007FFFF6CE872B
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CE2F5025_2_00007FFFF6CE2F50
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D20F3025_2_00007FFFF6D20F30
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CF3CF025_2_00007FFFF6CF3CF0
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CF0D1025_2_00007FFFF6CF0D10
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D22CA025_2_00007FFFF6D22CA0
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D2E4A625_2_00007FFFF6D2E4A6
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D2E4AD25_2_00007FFFF6D2E4AD
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CD3CD025_2_00007FFFF6CD3CD0
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D2E4B625_2_00007FFFF6D2E4B6
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D2E48B25_2_00007FFFF6D2E48B
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D2A49025_2_00007FFFF6D2A490
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D2E49425_2_00007FFFF6D2E494
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D2E49D25_2_00007FFFF6D2E49D
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CEAC8025_2_00007FFFF6CEAC80
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CC5C2025_2_00007FFFF6CC5C20
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CD542025_2_00007FFFF6CD5420
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CD65E025_2_00007FFFF6CD65E0
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CE361025_2_00007FFFF6CE3610
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CF2E1025_2_00007FFFF6CF2E10
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CCC5A025_2_00007FFFF6CCC5A0
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CD95C025_2_00007FFFF6CD95C0
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CF25C025_2_00007FFFF6CF25C0
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CD9D7025_2_00007FFFF6CD9D70
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D3C59025_2_00007FFFF6D3C590
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CF1D3025_2_00007FFFF6CF1D30
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D18D2025_2_00007FFFF6D18D20
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CE3D5025_2_00007FFFF6CE3D50
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CED55025_2_00007FFFF6CED550
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CE82E025_2_00007FFFF6CE82E0
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D22AE025_2_00007FFFF6D22AE0
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CEA31025_2_00007FFFF6CEA310
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D27AF025_2_00007FFFF6D27AF0
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CF030025_2_00007FFFF6CF0300
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D1F2C025_2_00007FFFF6D1F2C0
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D122C025_2_00007FFFF6D122C0
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CEDAA025_2_00007FFFF6CEDAA0
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D282A025_2_00007FFFF6D282A0
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D2AAA025_2_00007FFFF6D2AAA0
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CE92C025_2_00007FFFF6CE92C0
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D2B26025_2_00007FFFF6D2B260
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CFB25025_2_00007FFFF6CFB250
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CC7A4025_2_00007FFFF6CC7A40
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D3FC0025_2_00007FFFF6D3FC00
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D2E40025_2_00007FFFF6D2E400
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CD23F025_2_00007FFFF6CD23F0
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D2941025_2_00007FFFF6D29410
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CD741025_2_00007FFFF6CD7410
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D14BC025_2_00007FFFF6D14BC0
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D2439025_2_00007FFFF6D24390
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CF436025_2_00007FFFF6CF4360
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CF1B3025_2_00007FFFF6CF1B30
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D25B5025_2_00007FFFF6D25B50
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CCBB2025_2_00007FFFF6CCBB20
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CC535025_2_00007FFFF6CC5350
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CE334025_2_00007FFFF6CE3340
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CD834025_2_00007FFFF6CD8340
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CDE11025_2_00007FFFF6CDE110
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CE391025_2_00007FFFF6CE3910
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D3C0EB25_2_00007FFFF6D3C0EB
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CCB10025_2_00007FFFF6CCB100
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CD08B025_2_00007FFFF6CD08B0
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CC18D025_2_00007FFFF6CC18D0
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D3C8B125_2_00007FFFF6D3C8B1
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CFF87025_2_00007FFFF6CFF870
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CDD89025_2_00007FFFF6CDD890
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D0F87025_2_00007FFFF6D0F870
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D1584025_2_00007FFFF6D15840
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CEC03025_2_00007FFFF6CEC030
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CF002025_2_00007FFFF6CF0020
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D4082025_2_00007FFFF6D40820
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CE505025_2_00007FFFF6CE5050
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CF91F025_2_00007FFFF6CF91F0
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CF89F025_2_00007FFFF6CF89F0
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CEF1F025_2_00007FFFF6CEF1F0
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CDE9B025_2_00007FFFF6CDE9B0
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CE11B025_2_00007FFFF6CE11B0
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CEE9A025_2_00007FFFF6CEE9A0
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CF21D025_2_00007FFFF6CF21D0
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CE69C025_2_00007FFFF6CE69C0
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D2B96025_2_00007FFFF6D2B960
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CF999025_2_00007FFFF6CF9990
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CC298025_2_00007FFFF6CC2980
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CF613025_2_00007FFFF6CF6130
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D2695025_2_00007FFFF6D26950
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CE414025_2_00007FFFF6CE4140
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DE502031_2_00007FFFF0DE5020
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DFA2C031_2_00007FFFF0DFA2C0
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DEAA7031_2_00007FFFF0DEAA70
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DFCA5031_2_00007FFFF0DFCA50
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DE5CD031_2_00007FFFF0DE5CD0
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0E0DDC031_2_00007FFFF0E0DDC0
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DBB10031_2_00007FFFF0DBB100
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DCE11031_2_00007FFFF0DCE110
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DD391031_2_00007FFFF0DD3910
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DB18D031_2_00007FFFF0DB18D0
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DC08B031_2_00007FFFF0DC08B0
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DD788031_2_00007FFFF0DD7880
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DCD89031_2_00007FFFF0DCD890
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DEF87031_2_00007FFFF0DEF870
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0E0584031_2_00007FFFF0E05840
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DD505031_2_00007FFFF0DD5050
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DE002031_2_00007FFFF0DE0020
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DDC03031_2_00007FFFF0DDC030
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DE59F031_2_00007FFFF0DE59F0
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DDF1F031_2_00007FFFF0DDF1F0
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DE91F031_2_00007FFFF0DE91F0
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DE89F031_2_00007FFFF0DE89F0
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DD69C031_2_00007FFFF0DD69C0
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DE21D031_2_00007FFFF0DE21D0
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DDE9A031_2_00007FFFF0DDE9A0
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DCE9B031_2_00007FFFF0DCE9B0
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DD11B031_2_00007FFFF0DD11B0
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DB298031_2_00007FFFF0DB2980
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DE999031_2_00007FFFF0DE9990
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0E1B96031_2_00007FFFF0E1B960
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0E1695031_2_00007FFFF0E16950
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DD414031_2_00007FFFF0DD4140
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0E0315031_2_00007FFFF0E03150
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DE613031_2_00007FFFF0DE6130
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DE030031_2_00007FFFF0DE0300
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DDA31031_2_00007FFFF0DDA310
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DD82E031_2_00007FFFF0DD82E0
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DEBAE031_2_00007FFFF0DEBAE0
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0E12AE031_2_00007FFFF0E12AE0
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DD92C031_2_00007FFFF0DD92C0
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0E0F2C031_2_00007FFFF0E0F2C0
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DDDAA031_2_00007FFFF0DDDAA0
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0E182A031_2_00007FFFF0E182A0
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0E1AAA031_2_00007FFFF0E1AAA0
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0E1B26031_2_00007FFFF0E1B260
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DB7A4031_2_00007FFFF0DB7A40
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DEB25031_2_00007FFFF0DEB250
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0E1941031_2_00007FFFF0E19410
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0E1E40031_2_00007FFFF0E1E400
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DC741031_2_00007FFFF0DC7410
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DC23F031_2_00007FFFF0DC23F0
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0E04BC031_2_00007FFFF0E04BC0
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0E1439031_2_00007FFFF0E14390
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DE436031_2_00007FFFF0DE4360
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0E15B5031_2_00007FFFF0E15B50
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DD334031_2_00007FFFF0DD3340
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DC834031_2_00007FFFF0DC8340
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DB535031_2_00007FFFF0DB5350
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DBBB2031_2_00007FFFF0DBBB20
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DE1B3031_2_00007FFFF0DE1B30
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DE0D1031_2_00007FFFF0DE0D10
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DE3CF031_2_00007FFFF0DE3CF0
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DC3CD031_2_00007FFFF0DC3CD0
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0E12CA031_2_00007FFFF0E12CA0
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DDAC8031_2_00007FFFF0DDAC80
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DC542031_2_00007FFFF0DC5420
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DB5C2031_2_00007FFFF0DB5C20
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DE2E1031_2_00007FFFF0DE2E10
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DD361031_2_00007FFFF0DD3610
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DC65E031_2_00007FFFF0DC65E0
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DE25C031_2_00007FFFF0DE25C0
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DC95C031_2_00007FFFF0DC95C0
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DBC5A031_2_00007FFFF0DBC5A0
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DC9D7031_2_00007FFFF0DC9D70
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DDD55031_2_00007FFFF0DDD550
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DD3D5031_2_00007FFFF0DD3D50
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0E1D52031_2_00007FFFF0E1D520
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DE1D3031_2_00007FFFF0DE1D30
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0E17EC031_2_00007FFFF0E17EC0
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DE06A031_2_00007FFFF0DE06A0
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DDF6B031_2_00007FFFF0DDF6B0
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DB7E8031_2_00007FFFF0DB7E80
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DB6E9031_2_00007FFFF0DB6E90
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DC867031_2_00007FFFF0DC8670
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0E1765031_2_00007FFFF0E17650
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0E0065031_2_00007FFFF0E00650
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DBDE2031_2_00007FFFF0DBDE20
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DB162031_2_00007FFFF0DB1620
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DD480031_2_00007FFFF0DD4800
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DB101031_2_00007FFFF0DB1010
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0E24FF031_2_00007FFFF0E24FF0
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DD6FE031_2_00007FFFF0DD6FE0
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DC8FC031_2_00007FFFF0DC8FC0
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DCA7D031_2_00007FFFF0DCA7D0
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DF97D031_2_00007FFFF0DF97D0
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0E2B7A031_2_00007FFFF0E2B7A0
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DDE7B031_2_00007FFFF0DDE7B0
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0E2EF8031_2_00007FFFF0E2EF80
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DB679031_2_00007FFFF0DB6790
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0E1077031_2_00007FFFF0E10770
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0E1576031_2_00007FFFF0E15760
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DCE77031_2_00007FFFF0DCE770
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DD2F5031_2_00007FFFF0DD2F50
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0E10F3031_2_00007FFFF0E10F30
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DD872B31_2_00007FFFF0DD872B
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: String function: 00007FF77C196124 appears 108 times
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: String function: 00007FF77C195F34 appears 75 times
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FF77C199630 memset,memset,GetSystemDirectoryW,??3@YAXPEAX@Z,??3@YAXPEAX@Z,wcscat_s,GetTempFileNameW,GetLastError,#6,#177,RevertToSelf,CreateEnvironmentBlock,GetLastError,CreateProcessAsUserW,GetLastError,CreateProcessW,GetLastError,WaitForSingleObject,GetExitCodeProcess,GetLastError,DeleteFileW,GetLastError,GetLastError,RevertToSelf,DeleteFileW,GetLastError,DestroyEnvironmentBlock,EnterCriticalSection,LeaveCriticalSection,CloseHandle,CloseHandle,CloseHandle,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,20_2_00007FF77C199630
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE2017770 NtClose,1_2_00007FFFE2017770
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE203D520 NtQuerySystemInformation,1_2_00007FFFE203D520
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF965F40 NtCreateSection,NtMapViewOfSection,NtUnmapViewOfSection,NtDuplicateObject,NtDuplicateObject,20_2_00007FFFEF965F40
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF987770 NtClose,20_2_00007FFFEF987770
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF97CE20 NtDuplicateObject,NtClose,20_2_00007FFFEF97CE20
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9AD520 NtQuerySystemInformation,20_2_00007FFFEF9AD520
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF97C4D0 CreateFileMappingW,VirtualAlloc,NtMapViewOfSection,NtUnmapViewOfSection,NtDuplicateObject,NtDuplicateObject,20_2_00007FFFEF97C4D0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF975CD0 RtlAddVectoredContinueHandler,VirtualProtect,VirtualProtect,RtlCreateUserThread,NtClose,20_2_00007FFFEF975CD0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF97BAE0 NtReadVirtualMemory,RtlQueueApcWow64Thread,20_2_00007FFFEF97BAE0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF97AA70 VirtualAlloc,NtDuplicateObject,RtlQueueApcWow64Thread,20_2_00007FFFEF97AA70
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF98F150 NtDelayExecution,20_2_00007FFFEF98F150
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF978060 NtReadVirtualMemory,20_2_00007FFFEF978060
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D07770 NtClose,25_2_00007FFFF6D07770
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CE5F40 NtCreateSection,NtMapViewOfSection,NtUnmapViewOfSection,NtDuplicateObject,NtDuplicateObject,25_2_00007FFFF6CE5F40
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CFC4D0 CreateFileMappingW,VirtualAlloc,NtMapViewOfSection,NtUnmapViewOfSection,NtDuplicateObject,NtDuplicateObject,25_2_00007FFFF6CFC4D0
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CF5CD0 RtlAddVectoredContinueHandler,VirtualProtect,VirtualProtect,RtlCreateUserThread,NtClose,25_2_00007FFFF6CF5CD0
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D2D520 NtQuerySystemInformation,25_2_00007FFFF6D2D520
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CFBAE0 NtReadVirtualMemory,25_2_00007FFFF6CFBAE0
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6CFAA70 VirtualAlloc,NtDuplicateObject,RtlQueueApcWow64Thread,25_2_00007FFFF6CFAA70
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DE5CD0 RtlAddVectoredContinueHandler,VirtualProtect,VirtualProtect,RtlCreateUserThread,NtClose,31_2_00007FFFF0DE5CD0
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FFFF0DF7770 NtClose,31_2_00007FFFF0DF7770
                      Source: SystemPropertiesAdvanced.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: SystemPropertiesAdvanced.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: SystemPropertiesAdvanced.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: FileHistory.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: FileHistory.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: FileHistory.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: FileHistory.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: FileHistory.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: FileHistory.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: iexpress.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: iexpress.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: iexpress.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: SystemPropertiesComputerName.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: SystemPropertiesComputerName.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: SystemPropertiesComputerName.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: iexpress.exe0.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: iexpress.exe0.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: iexpress.exe0.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: wextract.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: wextract.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: wextract.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: C:\Windows\System32\loaddll64.exeSection loaded: kernel34.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: kernel34.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: windows.globalization.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: capabilityaccessmanagerclient.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: kernel34.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: kernel34.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeSection loaded: kernel34.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exeSection loaded: kernel34.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeSection loaded: kernel34.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\pUTm\SystemPropertiesAdvanced.exeSection loaded: kernel34.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeSection loaded: kernel34.dll
                      Source: C:\Users\user\AppData\Local\KGg\iexpress.exeSection loaded: kernel34.dll
                      Source: C:\Users\user\AppData\Local\lcdNfR\SystemPropertiesComputerName.exeSection loaded: kernel34.dll
                      Source: WTSAPI32.dll.6.drStatic PE information: Number of sections : 71 > 10
                      Source: XmlLite.dll0.6.drStatic PE information: Number of sections : 71 > 10
                      Source: VERSION.dll1.6.drStatic PE information: Number of sections : 71 > 10
                      Source: SYSDM.CPL.6.drStatic PE information: Number of sections : 71 > 10
                      Source: UxTheme.dll.6.drStatic PE information: Number of sections : 71 > 10
                      Source: newdev.dll.6.drStatic PE information: Number of sections : 71 > 10
                      Source: VERSION.dll.6.drStatic PE information: Number of sections : 71 > 10
                      Source: VERSION.dll0.6.drStatic PE information: Number of sections : 71 > 10
                      Source: XmlLite.dll.6.drStatic PE information: Number of sections : 71 > 10
                      Source: mpXUd364Rz.dllStatic PE information: Number of sections : 70 > 10
                      Source: SYSDM.CPL0.6.drStatic PE information: Number of sections : 71 > 10
                      Source: mpXUd364Rz.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: SYSDM.CPL.6.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: UxTheme.dll.6.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: VERSION.dll.6.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: XmlLite.dll.6.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: SYSDM.CPL0.6.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: WTSAPI32.dll.6.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: newdev.dll.6.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: XmlLite.dll0.6.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: VERSION.dll0.6.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: VERSION.dll1.6.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: mpXUd364Rz.dllVirustotal: Detection: 64%
                      Source: mpXUd364Rz.dllMetadefender: Detection: 62%
                      Source: mpXUd364Rz.dllReversingLabs: Detection: 88%
                      Source: mpXUd364Rz.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\System32\loaddll64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\mpXUd364Rz.dll"
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\mpXUd364Rz.dll",#1
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\mpXUd364Rz.dll,GetFileVersionInfoA
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\mpXUd364Rz.dll",#1
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\mpXUd364Rz.dll,GetFileVersionInfoByHandle
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\mpXUd364Rz.dll,GetFileVersionInfoExA
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\MDMAppInstaller.exe C:\Windows\system32\MDMAppInstaller.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\iexpress.exe C:\Windows\system32\iexpress.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exe C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\wextract.exe C:\Windows\system32\wextract.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\xwE\wextract.exe C:\Users\user\AppData\Local\xwE\wextract.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\SystemPropertiesAdvanced.exe C:\Windows\system32\SystemPropertiesAdvanced.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\pUTm\SystemPropertiesAdvanced.exe C:\Users\user\AppData\Local\pUTm\SystemPropertiesAdvanced.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\FileHistory.exe C:\Windows\system32\FileHistory.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe C:\Users\user\AppData\Local\SUX56B\FileHistory.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\iexpress.exe C:\Windows\system32\iexpress.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\KGg\iexpress.exe C:\Users\user\AppData\Local\KGg\iexpress.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\sppsvc.exe C:\Windows\system32\sppsvc.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\4gdyz\sppsvc.exe C:\Users\user\AppData\Local\4gdyz\sppsvc.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\SystemPropertiesComputerName.exe C:\Windows\system32\SystemPropertiesComputerName.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\lcdNfR\SystemPropertiesComputerName.exe C:\Users\user\AppData\Local\lcdNfR\SystemPropertiesComputerName.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\InfDefaultInstall.exe C:\Windows\system32\InfDefaultInstall.exe
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\mpXUd364Rz.dll",#1Jump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\mpXUd364Rz.dll,GetFileVersionInfoAJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\mpXUd364Rz.dll,GetFileVersionInfoByHandleJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\mpXUd364Rz.dll,GetFileVersionInfoExAJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\mpXUd364Rz.dll",#1Jump to behavior
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\MDMAppInstaller.exe C:\Windows\system32\MDMAppInstaller.exeJump to behavior
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeJump to behavior
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\iexpress.exe C:\Windows\system32\iexpress.exeJump to behavior
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exe C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exeJump to behavior
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\wextract.exe C:\Windows\system32\wextract.exeJump to behavior
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\xwE\wextract.exe C:\Users\user\AppData\Local\xwE\wextract.exeJump to behavior
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\SystemPropertiesAdvanced.exe C:\Windows\system32\SystemPropertiesAdvanced.exeJump to behavior
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\pUTm\SystemPropertiesAdvanced.exe C:\Users\user\AppData\Local\pUTm\SystemPropertiesAdvanced.exeJump to behavior
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\FileHistory.exe C:\Windows\system32\FileHistory.exeJump to behavior
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe C:\Users\user\AppData\Local\SUX56B\FileHistory.exeJump to behavior
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\iexpress.exe C:\Windows\system32\iexpress.exeJump to behavior
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\KGg\iexpress.exe C:\Users\user\AppData\Local\KGg\iexpress.exeJump to behavior
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\sppsvc.exe C:\Windows\system32\sppsvc.exeJump to behavior
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\4gdyz\sppsvc.exe C:\Users\user\AppData\Local\4gdyz\sppsvc.exeJump to behavior
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\SystemPropertiesComputerName.exe C:\Windows\system32\SystemPropertiesComputerName.exeJump to behavior
                      Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\lcdNfR\SystemPropertiesComputerName.exe C:\Users\user\AppData\Local\lcdNfR\SystemPropertiesComputerName.exeJump to behavior
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\InfDefaultInstall.exe C:\Windows\system32\InfDefaultInstall.exeJump to behavior
                      Source: C:\Windows\explorer.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\explorer.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\explorer.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\explorer.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FF78E551B10 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,25_2_00007FF78E551B10
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\CryptoJump to behavior
                      Source: classification engineClassification label: mal100.troj.evad.winDLL@49/22@0/0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FF77C1A3134 CoCreateInstance,CoSetProxyBlanket,20_2_00007FF77C1A3134
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FF78E556418 GetCurrentDirectoryA,SetCurrentDirectoryA,GetLastError,GetDiskFreeSpaceA,MulDiv,GetVolumeInformationA,memset,GetLastError,GetLastError,FormatMessageA,SetCurrentDirectoryA,memset,GetLastError,GetLastError,FormatMessageA,SetCurrentDirectoryA,25_2_00007FF78E556418
                      Source: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exeCode function: 23_2_00007FF700CD7FF4 _lwrite,_lwrite,GetLastError,FormatMessageA,LoadStringA,MessageBoxA,LocalFree,23_2_00007FF700CD7FF4
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF97CB00 GetProcessId,CreateToolhelp32Snapshot,Thread32First,Thread32Next,20_2_00007FFFEF97CB00
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\mpXUd364Rz.dll,GetFileVersionInfoA
                      Source: C:\Users\user\AppData\Local\lcdNfR\SystemPropertiesComputerName.exeMutant created: \Sessions\1\BaseNamedObjects\{2b9f69fc-d942-5108-1b7e-06ce6cc163c0}
                      Source: C:\Users\user\AppData\Local\lcdNfR\SystemPropertiesComputerName.exeMutant created: \Sessions\1\BaseNamedObjects\{201a9ced-b6b9-3ccf-1f9b-f23e480bd0ad}
                      Source: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exeCode function: 23_2_00007FF700CD7600 CompareStringA,FindResourceExA,free,free,SizeofResource,malloc,memset,LoadResource,free,LockResource,memcpy,FreeResource,23_2_00007FF700CD7600
                      Source: mpXUd364Rz.dllStatic PE information: Image base 0x140000000 > 0x60000000
                      Source: mpXUd364Rz.dllStatic file information: File size 1421312 > 1048576
                      Source: mpXUd364Rz.dllStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                      Source: Binary string: iexpress.pdbGCTL source: iexpress.exe, 00000017.00000000.381495000.00007FF700CE0000.00000002.00000001.01000000.0000000C.sdmp, iexpress.exe, 00000017.00000002.404968145.00007FF700CE0000.00000002.00000001.01000000.0000000C.sdmp, iexpress.exe, 00000021.00000000.482512095.00007FF6ECF70000.00000002.00000001.01000000.00000015.sdmp, iexpress.exe, 00000021.00000002.512158543.00007FF6ECF70000.00000002.00000001.01000000.00000015.sdmp
                      Source: Binary string: wextract.pdb source: wextract.exe, 00000019.00000000.410833636.00007FF78E559000.00000002.00000001.01000000.0000000E.sdmp, wextract.exe, 00000019.00000002.434355036.00007FF78E559000.00000002.00000001.01000000.0000000E.sdmp
                      Source: Binary string: mdmappinstaller.pdbGCTL source: MDMAppInstaller.exe, 00000014.00000002.369492137.00007FF77C1A5000.00000002.00000001.01000000.0000000A.sdmp, MDMAppInstaller.exe, 00000014.00000000.345833557.00007FF77C1A5000.00000002.00000001.01000000.0000000A.sdmp
                      Source: Binary string: wextract.pdbGCTL source: wextract.exe, 00000019.00000000.410833636.00007FF78E559000.00000002.00000001.01000000.0000000E.sdmp, wextract.exe, 00000019.00000002.434355036.00007FF78E559000.00000002.00000001.01000000.0000000E.sdmp
                      Source: Binary string: sppsvc.pdb source: sppsvc.exe, 00000024.00000000.519045806.00007FF74EE9B000.00000002.00000001.01000000.00000017.sdmp, sppsvc.exe, 00000024.00000002.559206083.00007FF74EE9B000.00000002.00000001.01000000.00000017.sdmp
                      Source: Binary string: SystemPropertiesComputerName.pdb source: SystemPropertiesComputerName.exe, 00000028.00000000.569829747.00007FF6726F2000.00000002.00000001.01000000.0000001A.sdmp, SystemPropertiesComputerName.exe, 00000028.00000002.595087283.00007FF6726F2000.00000002.00000001.01000000.0000001A.sdmp
                      Source: Binary string: SystemPropertiesAdvanced.pdb source: SystemPropertiesAdvanced.exe, 0000001D.00000000.439910859.00007FF773112000.00000002.00000001.01000000.00000010.sdmp, SystemPropertiesAdvanced.exe, 0000001D.00000002.467026056.00007FF773112000.00000002.00000001.01000000.00000010.sdmp
                      Source: Binary string: FileHistory.pdbGCTL source: FileHistory.exe, 0000001F.00000000.471907577.00007FF6F1249000.00000002.00000001.01000000.00000012.sdmp, FileHistory.exe, 0000001F.00000002.476813926.00007FF6F1249000.00000002.00000001.01000000.00000012.sdmp
                      Source: Binary string: sppsvc.pdbGCTL source: sppsvc.exe, 00000024.00000000.519045806.00007FF74EE9B000.00000002.00000001.01000000.00000017.sdmp, sppsvc.exe, 00000024.00000002.559206083.00007FF74EE9B000.00000002.00000001.01000000.00000017.sdmp
                      Source: Binary string: SystemPropertiesComputerName.pdbGCTL source: SystemPropertiesComputerName.exe, 00000028.00000000.569829747.00007FF6726F2000.00000002.00000001.01000000.0000001A.sdmp, SystemPropertiesComputerName.exe, 00000028.00000002.595087283.00007FF6726F2000.00000002.00000001.01000000.0000001A.sdmp
                      Source: Binary string: SystemPropertiesAdvanced.pdbGCTL source: SystemPropertiesAdvanced.exe, 0000001D.00000000.439910859.00007FF773112000.00000002.00000001.01000000.00000010.sdmp, SystemPropertiesAdvanced.exe, 0000001D.00000002.467026056.00007FF773112000.00000002.00000001.01000000.00000010.sdmp
                      Source: Binary string: mdmappinstaller.pdb source: MDMAppInstaller.exe, 00000014.00000002.369492137.00007FF77C1A5000.00000002.00000001.01000000.0000000A.sdmp, MDMAppInstaller.exe, 00000014.00000000.345833557.00007FF77C1A5000.00000002.00000001.01000000.0000000A.sdmp
                      Source: Binary string: iexpress.pdb source: iexpress.exe, 00000017.00000000.381495000.00007FF700CE0000.00000002.00000001.01000000.0000000C.sdmp, iexpress.exe, 00000017.00000002.404968145.00007FF700CE0000.00000002.00000001.01000000.0000000C.sdmp, iexpress.exe, 00000021.00000000.482512095.00007FF6ECF70000.00000002.00000001.01000000.00000015.sdmp, iexpress.exe, 00000021.00000002.512158543.00007FF6ECF70000.00000002.00000001.01000000.00000015.sdmp
                      Source: Binary string: FileHistory.pdb source: FileHistory.exe, 0000001F.00000000.471907577.00007FF6F1249000.00000002.00000001.01000000.00000012.sdmp, FileHistory.exe, 0000001F.00000002.476813926.00007FF6F1249000.00000002.00000001.01000000.00000012.sdmp
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF9BD500 push rax; iretd 20_2_00007FFFEF9BD501
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D3D500 push rax; iretd 25_2_00007FFFF6D3D501
                      Source: mpXUd364Rz.dllStatic PE information: section name: .vxl
                      Source: mpXUd364Rz.dllStatic PE information: section name: .qwubgr
                      Source: mpXUd364Rz.dllStatic PE information: section name: .eer
                      Source: mpXUd364Rz.dllStatic PE information: section name: .xwwauf
                      Source: mpXUd364Rz.dllStatic PE information: section name: .pkc
                      Source: mpXUd364Rz.dllStatic PE information: section name: .npkda
                      Source: mpXUd364Rz.dllStatic PE information: section name: .vhs
                      Source: mpXUd364Rz.dllStatic PE information: section name: .iaywj
                      Source: mpXUd364Rz.dllStatic PE information: section name: .nasi
                      Source: mpXUd364Rz.dllStatic PE information: section name: .zhvprh
                      Source: mpXUd364Rz.dllStatic PE information: section name: .yatdsp
                      Source: mpXUd364Rz.dllStatic PE information: section name: .njso
                      Source: mpXUd364Rz.dllStatic PE information: section name: .lgliat
                      Source: mpXUd364Rz.dllStatic PE information: section name: .ntqjh
                      Source: mpXUd364Rz.dllStatic PE information: section name: .sucsek
                      Source: mpXUd364Rz.dllStatic PE information: section name: .qsxjui
                      Source: mpXUd364Rz.dllStatic PE information: section name: .twctcm
                      Source: mpXUd364Rz.dllStatic PE information: section name: .nms
                      Source: mpXUd364Rz.dllStatic PE information: section name: .ogj
                      Source: mpXUd364Rz.dllStatic PE information: section name: .vrkgb
                      Source: mpXUd364Rz.dllStatic PE information: section name: .gikfw
                      Source: mpXUd364Rz.dllStatic PE information: section name: .ktl
                      Source: mpXUd364Rz.dllStatic PE information: section name: .crcn
                      Source: mpXUd364Rz.dllStatic PE information: section name: .wtfr
                      Source: mpXUd364Rz.dllStatic PE information: section name: .hep
                      Source: mpXUd364Rz.dllStatic PE information: section name: .ywg
                      Source: mpXUd364Rz.dllStatic PE information: section name: .sqsp
                      Source: mpXUd364Rz.dllStatic PE information: section name: .gzb
                      Source: mpXUd364Rz.dllStatic PE information: section name: .fatlss
                      Source: mpXUd364Rz.dllStatic PE information: section name: .plqa
                      Source: mpXUd364Rz.dllStatic PE information: section name: .vzt
                      Source: mpXUd364Rz.dllStatic PE information: section name: .dsbyd
                      Source: mpXUd364Rz.dllStatic PE information: section name: .cdelc
                      Source: mpXUd364Rz.dllStatic PE information: section name: .qkhkj
                      Source: mpXUd364Rz.dllStatic PE information: section name: .mnzegr
                      Source: mpXUd364Rz.dllStatic PE information: section name: .krw
                      Source: mpXUd364Rz.dllStatic PE information: section name: .jvsmn
                      Source: mpXUd364Rz.dllStatic PE information: section name: .bygpq
                      Source: mpXUd364Rz.dllStatic PE information: section name: .kzdbu
                      Source: mpXUd364Rz.dllStatic PE information: section name: .mwxorn
                      Source: mpXUd364Rz.dllStatic PE information: section name: .raf
                      Source: mpXUd364Rz.dllStatic PE information: section name: .zcyw
                      Source: mpXUd364Rz.dllStatic PE information: section name: .zeczh
                      Source: mpXUd364Rz.dllStatic PE information: section name: .pvv
                      Source: mpXUd364Rz.dllStatic PE information: section name: .lug
                      Source: mpXUd364Rz.dllStatic PE information: section name: .ski
                      Source: mpXUd364Rz.dllStatic PE information: section name: .japjd
                      Source: mpXUd364Rz.dllStatic PE information: section name: .mwtzml
                      Source: mpXUd364Rz.dllStatic PE information: section name: .vgssf
                      Source: mpXUd364Rz.dllStatic PE information: section name: .gsroye
                      Source: mpXUd364Rz.dllStatic PE information: section name: .vcmr
                      Source: mpXUd364Rz.dllStatic PE information: section name: .kvjqnl
                      Source: mpXUd364Rz.dllStatic PE information: section name: .zlu
                      Source: mpXUd364Rz.dllStatic PE information: section name: .nrcvk
                      Source: mpXUd364Rz.dllStatic PE information: section name: .pfz
                      Source: mpXUd364Rz.dllStatic PE information: section name: .hxz
                      Source: mpXUd364Rz.dllStatic PE information: section name: .snjrs
                      Source: mpXUd364Rz.dllStatic PE information: section name: .bffts
                      Source: mpXUd364Rz.dllStatic PE information: section name: .gknvh
                      Source: mpXUd364Rz.dllStatic PE information: section name: .mifiod
                      Source: mpXUd364Rz.dllStatic PE information: section name: .whmsy
                      Source: mpXUd364Rz.dllStatic PE information: section name: .wtuzur
                      Source: mpXUd364Rz.dllStatic PE information: section name: .lwtn
                      Source: mpXUd364Rz.dllStatic PE information: section name: .kuh
                      Source: FileHistory.exe.6.drStatic PE information: section name: .nep
                      Source: sppsvc.exe.6.drStatic PE information: section name: ?g_Encry
                      Source: sppsvc.exe.6.drStatic PE information: section name: ?g_Encry
                      Source: sppsvc.exe.6.drStatic PE information: section name: ?g_Encry
                      Source: sppsvc.exe.6.drStatic PE information: section name: ?g_Encry
                      Source: MDMAppInstaller.exe.6.drStatic PE information: section name: .didat
                      Source: MusNotificationUx.exe.6.drStatic PE information: section name: .imrsiv
                      Source: MusNotificationUx.exe.6.drStatic PE information: section name: .didat
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .vxl
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .qwubgr
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .eer
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .xwwauf
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .pkc
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .npkda
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .vhs
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .iaywj
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .nasi
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .zhvprh
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .yatdsp
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .njso
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .lgliat
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .ntqjh
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .sucsek
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .qsxjui
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .twctcm
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .nms
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .ogj
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .vrkgb
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .gikfw
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .ktl
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .crcn
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .wtfr
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .hep
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .ywg
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .sqsp
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .gzb
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .fatlss
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .plqa
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .vzt
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .dsbyd
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .cdelc
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .qkhkj
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .mnzegr
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .krw
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .jvsmn
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .bygpq
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .kzdbu
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .mwxorn
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .raf
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .zcyw
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .zeczh
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .pvv
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .lug
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .ski
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .japjd
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .mwtzml
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .vgssf
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .gsroye
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .vcmr
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .kvjqnl
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .zlu
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .nrcvk
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .pfz
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .hxz
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .snjrs
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .bffts
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .gknvh
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .mifiod
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .whmsy
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .wtuzur
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .lwtn
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .kuh
                      Source: SYSDM.CPL.6.drStatic PE information: section name: .repb
                      Source: UxTheme.dll.6.drStatic PE information: section name: .vxl
                      Source: UxTheme.dll.6.drStatic PE information: section name: .qwubgr
                      Source: UxTheme.dll.6.drStatic PE information: section name: .eer
                      Source: UxTheme.dll.6.drStatic PE information: section name: .xwwauf
                      Source: UxTheme.dll.6.drStatic PE information: section name: .pkc
                      Source: UxTheme.dll.6.drStatic PE information: section name: .npkda
                      Source: UxTheme.dll.6.drStatic PE information: section name: .vhs
                      Source: UxTheme.dll.6.drStatic PE information: section name: .iaywj
                      Source: UxTheme.dll.6.drStatic PE information: section name: .nasi
                      Source: UxTheme.dll.6.drStatic PE information: section name: .zhvprh
                      Source: UxTheme.dll.6.drStatic PE information: section name: .yatdsp
                      Source: UxTheme.dll.6.drStatic PE information: section name: .njso
                      Source: UxTheme.dll.6.drStatic PE information: section name: .lgliat
                      Source: UxTheme.dll.6.drStatic PE information: section name: .ntqjh
                      Source: UxTheme.dll.6.drStatic PE information: section name: .sucsek
                      Source: UxTheme.dll.6.drStatic PE information: section name: .qsxjui
                      Source: UxTheme.dll.6.drStatic PE information: section name: .twctcm
                      Source: UxTheme.dll.6.drStatic PE information: section name: .nms
                      Source: UxTheme.dll.6.drStatic PE information: section name: .ogj
                      Source: UxTheme.dll.6.drStatic PE information: section name: .vrkgb
                      Source: UxTheme.dll.6.drStatic PE information: section name: .gikfw
                      Source: UxTheme.dll.6.drStatic PE information: section name: .ktl
                      Source: UxTheme.dll.6.drStatic PE information: section name: .crcn
                      Source: UxTheme.dll.6.drStatic PE information: section name: .wtfr
                      Source: UxTheme.dll.6.drStatic PE information: section name: .hep
                      Source: UxTheme.dll.6.drStatic PE information: section name: .ywg
                      Source: UxTheme.dll.6.drStatic PE information: section name: .sqsp
                      Source: UxTheme.dll.6.drStatic PE information: section name: .gzb
                      Source: UxTheme.dll.6.drStatic PE information: section name: .fatlss
                      Source: UxTheme.dll.6.drStatic PE information: section name: .plqa
                      Source: UxTheme.dll.6.drStatic PE information: section name: .vzt
                      Source: UxTheme.dll.6.drStatic PE information: section name: .dsbyd
                      Source: UxTheme.dll.6.drStatic PE information: section name: .cdelc
                      Source: UxTheme.dll.6.drStatic PE information: section name: .qkhkj
                      Source: UxTheme.dll.6.drStatic PE information: section name: .mnzegr
                      Source: UxTheme.dll.6.drStatic PE information: section name: .krw
                      Source: UxTheme.dll.6.drStatic PE information: section name: .jvsmn
                      Source: UxTheme.dll.6.drStatic PE information: section name: .bygpq
                      Source: UxTheme.dll.6.drStatic PE information: section name: .kzdbu
                      Source: UxTheme.dll.6.drStatic PE information: section name: .mwxorn
                      Source: UxTheme.dll.6.drStatic PE information: section name: .raf
                      Source: UxTheme.dll.6.drStatic PE information: section name: .zcyw
                      Source: UxTheme.dll.6.drStatic PE information: section name: .zeczh
                      Source: UxTheme.dll.6.drStatic PE information: section name: .pvv
                      Source: UxTheme.dll.6.drStatic PE information: section name: .lug
                      Source: UxTheme.dll.6.drStatic PE information: section name: .ski
                      Source: UxTheme.dll.6.drStatic PE information: section name: .japjd
                      Source: UxTheme.dll.6.drStatic PE information: section name: .mwtzml
                      Source: UxTheme.dll.6.drStatic PE information: section name: .vgssf
                      Source: UxTheme.dll.6.drStatic PE information: section name: .gsroye
                      Source: UxTheme.dll.6.drStatic PE information: section name: .vcmr
                      Source: UxTheme.dll.6.drStatic PE information: section name: .kvjqnl
                      Source: UxTheme.dll.6.drStatic PE information: section name: .zlu
                      Source: UxTheme.dll.6.drStatic PE information: section name: .nrcvk
                      Source: UxTheme.dll.6.drStatic PE information: section name: .pfz
                      Source: UxTheme.dll.6.drStatic PE information: section name: .hxz
                      Source: UxTheme.dll.6.drStatic PE information: section name: .snjrs
                      Source: UxTheme.dll.6.drStatic PE information: section name: .bffts
                      Source: UxTheme.dll.6.drStatic PE information: section name: .gknvh
                      Source: UxTheme.dll.6.drStatic PE information: section name: .mifiod
                      Source: UxTheme.dll.6.drStatic PE information: section name: .whmsy
                      Source: UxTheme.dll.6.drStatic PE information: section name: .wtuzur
                      Source: UxTheme.dll.6.drStatic PE information: section name: .lwtn
                      Source: UxTheme.dll.6.drStatic PE information: section name: .kuh
                      Source: UxTheme.dll.6.drStatic PE information: section name: .gwvj
                      Source: VERSION.dll.6.drStatic PE information: section name: .vxl
                      Source: VERSION.dll.6.drStatic PE information: section name: .qwubgr
                      Source: VERSION.dll.6.drStatic PE information: section name: .eer
                      Source: VERSION.dll.6.drStatic PE information: section name: .xwwauf
                      Source: VERSION.dll.6.drStatic PE information: section name: .pkc
                      Source: VERSION.dll.6.drStatic PE information: section name: .npkda
                      Source: VERSION.dll.6.drStatic PE information: section name: .vhs
                      Source: VERSION.dll.6.drStatic PE information: section name: .iaywj
                      Source: VERSION.dll.6.drStatic PE information: section name: .nasi
                      Source: VERSION.dll.6.drStatic PE information: section name: .zhvprh
                      Source: VERSION.dll.6.drStatic PE information: section name: .yatdsp
                      Source: VERSION.dll.6.drStatic PE information: section name: .njso
                      Source: VERSION.dll.6.drStatic PE information: section name: .lgliat
                      Source: VERSION.dll.6.drStatic PE information: section name: .ntqjh
                      Source: VERSION.dll.6.drStatic PE information: section name: .sucsek
                      Source: VERSION.dll.6.drStatic PE information: section name: .qsxjui
                      Source: VERSION.dll.6.drStatic PE information: section name: .twctcm
                      Source: VERSION.dll.6.drStatic PE information: section name: .nms
                      Source: VERSION.dll.6.drStatic PE information: section name: .ogj
                      Source: VERSION.dll.6.drStatic PE information: section name: .vrkgb
                      Source: VERSION.dll.6.drStatic PE information: section name: .gikfw
                      Source: VERSION.dll.6.drStatic PE information: section name: .ktl
                      Source: VERSION.dll.6.drStatic PE information: section name: .crcn
                      Source: VERSION.dll.6.drStatic PE information: section name: .wtfr
                      Source: VERSION.dll.6.drStatic PE information: section name: .hep
                      Source: VERSION.dll.6.drStatic PE information: section name: .ywg
                      Source: VERSION.dll.6.drStatic PE information: section name: .sqsp
                      Source: VERSION.dll.6.drStatic PE information: section name: .gzb
                      Source: VERSION.dll.6.drStatic PE information: section name: .fatlss
                      Source: VERSION.dll.6.drStatic PE information: section name: .plqa
                      Source: VERSION.dll.6.drStatic PE information: section name: .vzt
                      Source: VERSION.dll.6.drStatic PE information: section name: .dsbyd
                      Source: VERSION.dll.6.drStatic PE information: section name: .cdelc
                      Source: VERSION.dll.6.drStatic PE information: section name: .qkhkj
                      Source: VERSION.dll.6.drStatic PE information: section name: .mnzegr
                      Source: VERSION.dll.6.drStatic PE information: section name: .krw
                      Source: VERSION.dll.6.drStatic PE information: section name: .jvsmn
                      Source: VERSION.dll.6.drStatic PE information: section name: .bygpq
                      Source: VERSION.dll.6.drStatic PE information: section name: .kzdbu
                      Source: VERSION.dll.6.drStatic PE information: section name: .mwxorn
                      Source: VERSION.dll.6.drStatic PE information: section name: .raf
                      Source: VERSION.dll.6.drStatic PE information: section name: .zcyw
                      Source: VERSION.dll.6.drStatic PE information: section name: .zeczh
                      Source: VERSION.dll.6.drStatic PE information: section name: .pvv
                      Source: VERSION.dll.6.drStatic PE information: section name: .lug
                      Source: VERSION.dll.6.drStatic PE information: section name: .ski
                      Source: VERSION.dll.6.drStatic PE information: section name: .japjd
                      Source: VERSION.dll.6.drStatic PE information: section name: .mwtzml
                      Source: VERSION.dll.6.drStatic PE information: section name: .vgssf
                      Source: VERSION.dll.6.drStatic PE information: section name: .gsroye
                      Source: VERSION.dll.6.drStatic PE information: section name: .vcmr
                      Source: VERSION.dll.6.drStatic PE information: section name: .kvjqnl
                      Source: VERSION.dll.6.drStatic PE information: section name: .zlu
                      Source: VERSION.dll.6.drStatic PE information: section name: .nrcvk
                      Source: VERSION.dll.6.drStatic PE information: section name: .pfz
                      Source: VERSION.dll.6.drStatic PE information: section name: .hxz
                      Source: VERSION.dll.6.drStatic PE information: section name: .snjrs
                      Source: VERSION.dll.6.drStatic PE information: section name: .bffts
                      Source: VERSION.dll.6.drStatic PE information: section name: .gknvh
                      Source: VERSION.dll.6.drStatic PE information: section name: .mifiod
                      Source: VERSION.dll.6.drStatic PE information: section name: .whmsy
                      Source: VERSION.dll.6.drStatic PE information: section name: .wtuzur
                      Source: VERSION.dll.6.drStatic PE information: section name: .lwtn
                      Source: VERSION.dll.6.drStatic PE information: section name: .kuh
                      Source: VERSION.dll.6.drStatic PE information: section name: .dgn
                      Source: XmlLite.dll.6.drStatic PE information: section name: .vxl
                      Source: XmlLite.dll.6.drStatic PE information: section name: .qwubgr
                      Source: XmlLite.dll.6.drStatic PE information: section name: .eer
                      Source: XmlLite.dll.6.drStatic PE information: section name: .xwwauf
                      Source: XmlLite.dll.6.drStatic PE information: section name: .pkc
                      Source: XmlLite.dll.6.drStatic PE information: section name: .npkda
                      Source: XmlLite.dll.6.drStatic PE information: section name: .vhs
                      Source: XmlLite.dll.6.drStatic PE information: section name: .iaywj
                      Source: XmlLite.dll.6.drStatic PE information: section name: .nasi
                      Source: XmlLite.dll.6.drStatic PE information: section name: .zhvprh
                      Source: XmlLite.dll.6.drStatic PE information: section name: .yatdsp
                      Source: XmlLite.dll.6.drStatic PE information: section name: .njso
                      Source: XmlLite.dll.6.drStatic PE information: section name: .lgliat
                      Source: XmlLite.dll.6.drStatic PE information: section name: .ntqjh
                      Source: XmlLite.dll.6.drStatic PE information: section name: .sucsek
                      Source: XmlLite.dll.6.drStatic PE information: section name: .qsxjui
                      Source: XmlLite.dll.6.drStatic PE information: section name: .twctcm
                      Source: XmlLite.dll.6.drStatic PE information: section name: .nms
                      Source: XmlLite.dll.6.drStatic PE information: section name: .ogj
                      Source: XmlLite.dll.6.drStatic PE information: section name: .vrkgb
                      Source: XmlLite.dll.6.drStatic PE information: section name: .gikfw
                      Source: XmlLite.dll.6.drStatic PE information: section name: .ktl
                      Source: XmlLite.dll.6.drStatic PE information: section name: .crcn
                      Source: XmlLite.dll.6.drStatic PE information: section name: .wtfr
                      Source: XmlLite.dll.6.drStatic PE information: section name: .hep
                      Source: XmlLite.dll.6.drStatic PE information: section name: .ywg
                      Source: XmlLite.dll.6.drStatic PE information: section name: .sqsp
                      Source: XmlLite.dll.6.drStatic PE information: section name: .gzb
                      Source: XmlLite.dll.6.drStatic PE information: section name: .fatlss
                      Source: XmlLite.dll.6.drStatic PE information: section name: .plqa
                      Source: XmlLite.dll.6.drStatic PE information: section name: .vzt
                      Source: XmlLite.dll.6.drStatic PE information: section name: .dsbyd
                      Source: XmlLite.dll.6.drStatic PE information: section name: .cdelc
                      Source: XmlLite.dll.6.drStatic PE information: section name: .qkhkj
                      Source: XmlLite.dll.6.drStatic PE information: section name: .mnzegr
                      Source: XmlLite.dll.6.drStatic PE information: section name: .krw
                      Source: XmlLite.dll.6.drStatic PE information: section name: .jvsmn
                      Source: XmlLite.dll.6.drStatic PE information: section name: .bygpq
                      Source: XmlLite.dll.6.drStatic PE information: section name: .kzdbu
                      Source: XmlLite.dll.6.drStatic PE information: section name: .mwxorn
                      Source: XmlLite.dll.6.drStatic PE information: section name: .raf
                      Source: XmlLite.dll.6.drStatic PE information: section name: .zcyw
                      Source: XmlLite.dll.6.drStatic PE information: section name: .zeczh
                      Source: XmlLite.dll.6.drStatic PE information: section name: .pvv
                      Source: XmlLite.dll.6.drStatic PE information: section name: .lug
                      Source: XmlLite.dll.6.drStatic PE information: section name: .ski
                      Source: XmlLite.dll.6.drStatic PE information: section name: .japjd
                      Source: XmlLite.dll.6.drStatic PE information: section name: .mwtzml
                      Source: XmlLite.dll.6.drStatic PE information: section name: .vgssf
                      Source: XmlLite.dll.6.drStatic PE information: section name: .gsroye
                      Source: XmlLite.dll.6.drStatic PE information: section name: .vcmr
                      Source: XmlLite.dll.6.drStatic PE information: section name: .kvjqnl
                      Source: XmlLite.dll.6.drStatic PE information: section name: .zlu
                      Source: XmlLite.dll.6.drStatic PE information: section name: .nrcvk
                      Source: XmlLite.dll.6.drStatic PE information: section name: .pfz
                      Source: XmlLite.dll.6.drStatic PE information: section name: .hxz
                      Source: XmlLite.dll.6.drStatic PE information: section name: .snjrs
                      Source: XmlLite.dll.6.drStatic PE information: section name: .bffts
                      Source: XmlLite.dll.6.drStatic PE information: section name: .gknvh
                      Source: XmlLite.dll.6.drStatic PE information: section name: .mifiod
                      Source: XmlLite.dll.6.drStatic PE information: section name: .whmsy
                      Source: XmlLite.dll.6.drStatic PE information: section name: .wtuzur
                      Source: XmlLite.dll.6.drStatic PE information: section name: .lwtn
                      Source: XmlLite.dll.6.drStatic PE information: section name: .kuh
                      Source: XmlLite.dll.6.drStatic PE information: section name: .hmklaw
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .vxl
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .qwubgr
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .eer
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .xwwauf
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .pkc
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .npkda
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .vhs
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .iaywj
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .nasi
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .zhvprh
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .yatdsp
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .njso
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .lgliat
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .ntqjh
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .sucsek
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .qsxjui
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .twctcm
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .nms
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .ogj
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .vrkgb
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .gikfw
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .ktl
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .crcn
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .wtfr
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .hep
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .ywg
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .sqsp
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .gzb
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .fatlss
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .plqa
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .vzt
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .dsbyd
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .cdelc
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .qkhkj
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .mnzegr
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .krw
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .jvsmn
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .bygpq
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .kzdbu
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .mwxorn
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .raf
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .zcyw
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .zeczh
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .pvv
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .lug
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .ski
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .japjd
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .mwtzml
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .vgssf
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .gsroye
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .vcmr
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .kvjqnl
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .zlu
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .nrcvk
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .pfz
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .hxz
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .snjrs
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .bffts
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .gknvh
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .mifiod
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .whmsy
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .wtuzur
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .lwtn
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .kuh
                      Source: SYSDM.CPL0.6.drStatic PE information: section name: .azm
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .vxl
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .qwubgr
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .eer
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .xwwauf
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .pkc
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .npkda
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .vhs
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .iaywj
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .nasi
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .zhvprh
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .yatdsp
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .njso
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .lgliat
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .ntqjh
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .sucsek
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .qsxjui
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .twctcm
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .nms
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .ogj
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .vrkgb
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .gikfw
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .ktl
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .crcn
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .wtfr
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .hep
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .ywg
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .sqsp
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .gzb
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .fatlss
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .plqa
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .vzt
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .dsbyd
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .cdelc
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .qkhkj
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .mnzegr
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .krw
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .jvsmn
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .bygpq
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .kzdbu
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .mwxorn
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .raf
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .zcyw
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .zeczh
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .pvv
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .lug
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .ski
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .japjd
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .mwtzml
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .vgssf
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .gsroye
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .vcmr
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .kvjqnl
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .zlu
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .nrcvk
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .pfz
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .hxz
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .snjrs
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .bffts
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .gknvh
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .mifiod
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .whmsy
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .wtuzur
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .lwtn
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .kuh
                      Source: WTSAPI32.dll.6.drStatic PE information: section name: .wdajq
                      Source: newdev.dll.6.drStatic PE information: section name: .vxl
                      Source: newdev.dll.6.drStatic PE information: section name: .qwubgr
                      Source: newdev.dll.6.drStatic PE information: section name: .eer
                      Source: newdev.dll.6.drStatic PE information: section name: .xwwauf
                      Source: newdev.dll.6.drStatic PE information: section name: .pkc
                      Source: newdev.dll.6.drStatic PE information: section name: .npkda
                      Source: newdev.dll.6.drStatic PE information: section name: .vhs
                      Source: newdev.dll.6.drStatic PE information: section name: .iaywj
                      Source: newdev.dll.6.drStatic PE information: section name: .nasi
                      Source: newdev.dll.6.drStatic PE information: section name: .zhvprh
                      Source: newdev.dll.6.drStatic PE information: section name: .yatdsp
                      Source: newdev.dll.6.drStatic PE information: section name: .njso
                      Source: newdev.dll.6.drStatic PE information: section name: .lgliat
                      Source: newdev.dll.6.drStatic PE information: section name: .ntqjh
                      Source: newdev.dll.6.drStatic PE information: section name: .sucsek
                      Source: newdev.dll.6.drStatic PE information: section name: .qsxjui
                      Source: newdev.dll.6.drStatic PE information: section name: .twctcm
                      Source: newdev.dll.6.drStatic PE information: section name: .nms
                      Source: newdev.dll.6.drStatic PE information: section name: .ogj
                      Source: newdev.dll.6.drStatic PE information: section name: .vrkgb
                      Source: newdev.dll.6.drStatic PE information: section name: .gikfw
                      Source: newdev.dll.6.drStatic PE information: section name: .ktl
                      Source: newdev.dll.6.drStatic PE information: section name: .crcn
                      Source: newdev.dll.6.drStatic PE information: section name: .wtfr
                      Source: newdev.dll.6.drStatic PE information: section name: .hep
                      Source: newdev.dll.6.drStatic PE information: section name: .ywg
                      Source: newdev.dll.6.drStatic PE information: section name: .sqsp
                      Source: newdev.dll.6.drStatic PE information: section name: .gzb
                      Source: newdev.dll.6.drStatic PE information: section name: .fatlss
                      Source: newdev.dll.6.drStatic PE information: section name: .plqa
                      Source: newdev.dll.6.drStatic PE information: section name: .vzt
                      Source: newdev.dll.6.drStatic PE information: section name: .dsbyd
                      Source: newdev.dll.6.drStatic PE information: section name: .cdelc
                      Source: newdev.dll.6.drStatic PE information: section name: .qkhkj
                      Source: newdev.dll.6.drStatic PE information: section name: .mnzegr
                      Source: newdev.dll.6.drStatic PE information: section name: .krw
                      Source: newdev.dll.6.drStatic PE information: section name: .jvsmn
                      Source: newdev.dll.6.drStatic PE information: section name: .bygpq
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FF78E554664 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetTempPathA,CharPrevA,CharPrevA,FreeLibrary,FreeLibrary,25_2_00007FF78E554664
                      Source: SystemPropertiesAdvanced.exe.6.drStatic PE information: 0xB26F15BA [Tue Nov 11 10:21:46 2064 UTC]
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.78392111205
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.78392111205
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.78392111205
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.78392111205
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.78392111205
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.78392111205
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.78392111205
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.78392111205
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.78392111205
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.78392111205
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.78392111205
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\pUTm\SYSDM.CPLJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\lcdNfR\SYSDM.CPLJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\xwE\VERSION.dllJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\tivYqgA\InfDefaultInstall.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\USNBng\WTSAPI32.dllJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\KGg\VERSION.dllJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\pUTm\SYSDM.CPLJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\pUTm\SystemPropertiesAdvanced.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\lcdNfR\SYSDM.CPLJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\4gdyz\XmlLite.dllJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\E4DREUfrP\VERSION.dllJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\KGg\iexpress.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\JvUQhw\MusNotificationUx.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\xwE\wextract.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\SUX56B\UxTheme.dllJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\lcdNfR\SystemPropertiesComputerName.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exeJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\tivYqgA\newdev.dllJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\JvUQhw\XmlLite.dllJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\4gdyz\sppsvc.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exeCode function: 23_2_00007FF700CD3AEC CompareStringA,GetPrivateProfileStringA,CompareStringA,CompareStringA,toupper,strchr,strchr,LocalAlloc,CompareStringA,CompareStringA,CompareStringA,CompareStringA,CompareStringA,CompareStringA,toupper,LocalAlloc,LocalAlloc,LocalAlloc,LocalFree,LocalFree,LocalFree,LocalFree,LocalAlloc,LocalFree,memcpy_s,LocalFree,23_2_00007FF700CD3AEC
                      Source: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exeCode function: 23_2_00007FF700CD30D8 GetPrivateProfileStringA,LocalAlloc,23_2_00007FF700CD30D8
                      Source: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exeCode function: 23_2_00007FF700CD6C64 GetFileAttributesA,SetFileAttributesA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileSectionA,GetPrivateProfileStringA,SetFileAttributesA,23_2_00007FF700CD6C64
                      Source: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exeCode function: 23_2_00007FF700CDD620 GetPrivateProfileStringA,23_2_00007FF700CDD620
                      Source: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exeCode function: 23_2_00007FF700CD3440 WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,_itoa_s,WritePrivateProfileStringA,_itoa_s,WritePrivateProfileStringA,_itoa_s,WritePrivateProfileStringA,_itoa_s,WritePrivateProfileStringA,_itoa_s,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,GetPrivateProfileStringA,lstrcmpiA,WritePrivateProfileStringA,LocalAlloc,GetPrivateProfileStringA,LocalFree,GetPrivateProfileStringA,WritePrivateProfileStringA,LocalFree,23_2_00007FF700CD3440
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FF78E5515C8 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA,25_2_00007FF78E5515C8
                      Source: C:\Windows\explorer.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\explorer.exe TID: 6556Thread sleep count: 68 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeLast function: Thread delayed
                      Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\JvUQhw\MusNotificationUx.exeJump to dropped file
                      Source: C:\Windows\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\tivYqgA\newdev.dllJump to dropped file
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_20-89489
                      Source: C:\Windows\System32\loaddll64.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_1-76323
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeAPI coverage: 8.1 %
                      Source: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exeAPI coverage: 0.6 %
                      Source: C:\Windows\System32\loaddll64.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE202DDC0 GetSystemInfo,1_2_00007FFFE202DDC0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE202ED10 FindFirstFileExW,1_2_00007FFFE202ED10
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FFFEF99ED10 FindFirstFileExW,20_2_00007FFFEF99ED10
                      Source: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exeCode function: 23_2_00007FF700CD5A08 LoadStringA,CopyFileA,GetLastError,FormatMessageA,SetFileAttributesA,SetLastError,GetUserDefaultUILanguage,FindFirstFileA,FindClose,CreateFileA,LocalAlloc,ReadFile,CloseHandle,LocalFree,LocalFree,FindFirstFileA,FindClose,CreateFileA,LocalAlloc,ReadFile,CloseHandle,LocalFree,memset,LocalAlloc,FindFirstFileA,FindClose,LocalFree,SetLastError,GlobalLock,GlobalUnlock,GlobalFree,GlobalLock,GlobalUnlock,GlobalFree,GlobalAlloc,GlobalLock,GlobalUnlock,GlobalUnlock,SetLastError,DeleteFileA,23_2_00007FF700CD5A08
                      Source: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exeCode function: 23_2_00007FF700CD2164 FindFirstFileA,FindClose,23_2_00007FF700CD2164
                      Source: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exeCode function: 23_2_00007FF700CD5518 LoadStringA,CompareStringA,GetModuleFileNameA,CharNextA,GetFileAttributesA,LocalAlloc,memset,CreateProcessA,CloseHandle,DispatchMessageA,PeekMessageA,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle,GetLastError,FormatMessageA,LocalFree,FindFirstFileA,FindClose,CreateFileA,LocalAlloc,ReadFile,CloseHandle,LocalFree,DeleteFileA,DeleteFileA,DeleteFileA,23_2_00007FF700CD5518
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FF78E551EC0 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,25_2_00007FF78E551EC0
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FFFF6D1ED10 FindFirstFileExW,25_2_00007FFFF6D1ED10
                      Source: explorer.exe, 00000006.00000000.263903097.00000000051AC000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
                      Source: explorer.exe, 00000006.00000000.282290301.0000000006005000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Ged:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
                      Source: explorer.exe, 00000006.00000000.276835861.000000000405B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Prod_VMware_SATA
                      Source: explorer.exe, 00000006.00000000.280868301.00000000051F5000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: -94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}71USER
                      Source: explorer.exe, 00000006.00000000.247879091.0000000006005000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
                      Source: explorer.exe, 00000006.00000000.247295653.0000000005EAB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: explorer.exe, 00000006.00000000.247879091.0000000006005000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: explorer.exe, 00000006.00000000.282290301.0000000006005000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}on:Gz?S
                      Source: explorer.exe, 00000006.00000000.280868301.00000000051F5000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
                      Source: explorer.exe, 00000006.00000000.245814685.000000000513E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
                      Source: explorer.exe, 00000006.00000000.247879091.0000000006005000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00dRom0cY
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FF77C192890 GetCurrentThreadId,memset,IsDebuggerPresent,OutputDebugStringW,20_2_00007FF77C192890
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FF78E554664 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetTempPathA,CharPrevA,CharPrevA,FreeLibrary,FreeLibrary,25_2_00007FF78E554664
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FF77C1A4D20 GetProcessHeap,HeapFree,20_2_00007FF77C1A4D20
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE20197D0 LdrLoadDll,FindClose,1_2_00007FFFE20197D0
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeMemory allocated: page read and write | page guard
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FF77C1A3DF0 SetUnhandledExceptionFilter,20_2_00007FF77C1A3DF0
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FF77C1A3BA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,20_2_00007FF77C1A3BA4
                      Source: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exeCode function: 23_2_00007FF700CDEC60 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,23_2_00007FF700CDEC60
                      Source: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exeCode function: 23_2_00007FF700CDEF50 SetUnhandledExceptionFilter,23_2_00007FF700CDEF50
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FF78E557A80 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,25_2_00007FF78E557A80
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FF78E557D70 SetUnhandledExceptionFilter,25_2_00007FF78E557D70
                      Source: C:\Users\user\AppData\Local\pUTm\SystemPropertiesAdvanced.exeCode function: 29_2_00007FF773111430 SetUnhandledExceptionFilter,29_2_00007FF773111430
                      Source: C:\Users\user\AppData\Local\pUTm\SystemPropertiesAdvanced.exeCode function: 29_2_00007FF7731116B4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,29_2_00007FF7731116B4
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FF6F1247570 SetUnhandledExceptionFilter,31_2_00007FF6F1247570
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeCode function: 31_2_00007FF6F12477EC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,31_2_00007FF6F12477EC

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Benign windows process drops PE files
                      Source: C:\Windows\explorer.exeFile created: SYSDM.CPL.6.drJump to dropped file
                      Changes memory attributes in foreign processes to executable or writable
                      Source: C:\Windows\System32\rundll32.exeMemory protected: C:\Windows\explorer.exe base: 7FF802C5EFE0 protect: page execute and read and writeJump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory protected: C:\Windows\explorer.exe base: 7FF802C5E000 protect: page execute readJump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory protected: C:\Windows\explorer.exe base: 7FF8024E2A20 protect: page execute and read and writeJump to behavior
                      Queues an APC in another process (thread injection)
                      Source: C:\Windows\System32\rundll32.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
                      Uses Atom Bombing / ProGate to inject into other processes
                      Source: C:\Windows\System32\rundll32.exeAtom created: 405553565741544156488D6C24D14881EC98 0x00000000 inc eax 0x00000001 push ebp 0x00000002 push ebx 0x00000003 push esi 0x00000004 push edi 0x00000005 inc ecx 0x00000006 push esp 0x00000007 inc ecx 0x00000008 push esi 0x00000009 dec eax 0x0000000a lea ebp, dword ptr [esp-2Fh] 0x0000000e dec eax 0x0000000f sub esp, 00000098h Jump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\mpXUd364Rz.dll",#1Jump to behavior
                      Source: C:\Users\user\AppData\Local\xwE\wextract.exeCode function: 25_2_00007FF78E5512A0 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,LocalFree,CloseHandle,25_2_00007FF78E5512A0
                      Source: explorer.exe, 00000006.00000000.240757751.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.259220966.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.247216161.0000000005610000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: explorer.exe, 00000006.00000000.274591286.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.240757751.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.259220966.0000000000B50000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                      Source: explorer.exe, 00000006.00000000.240757751.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.259220966.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.293518653.0000000000B50000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager,
                      Source: explorer.exe, 00000006.00000000.240757751.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.259220966.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.293518653.0000000000B50000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\AppData\Local\SUX56B\FileHistory.exeQueries volume information: C:\Users\user\AppData\Local\SUX56B\FileHistory.exe VolumeInformation
                      Source: C:\Windows\System32\loaddll64.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDateJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                      Source: C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exeCode function: 20_2_00007FF77C1A260C GetSystemTimeAsFileTime,EnterCriticalSection,LeaveCriticalSection,??3@YAXPEAX@Z,20_2_00007FF77C1A260C
                      Source: C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exeCode function: 23_2_00007FF700CDE5F0 GetVersionExA,GetSystemMetrics,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,CharNextA,23_2_00007FF700CDE5F0
                      Source: C:\Windows\System32\loaddll64.exeCode function: 1_2_00007FFFE2019400 GetUserNameW,1_2_00007FFFE2019400

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      1
                      Valid Accounts                      		2
                      Native API                      		1
                      Valid Accounts                      		1
                      Valid Accounts                      		11
                      Masquerading                      		OS Credential Dumping1
                      System Time Discovery                      		Remote Services1
                      Archive Collected Data                      		Exfiltration Over Other Network Medium2
                      Encrypted Channel                      		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
                      System Shutdown/Reboot
                      Default Accounts1
                      Exploitation for Client Execution                      		1
                      DLL Side-Loading                      		11
                      Access Token Manipulation                      		1
                      Valid Accounts                      		LSASS Memory1
                      Query Registry                      		Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)312
                      Process Injection                      		1
                      Virtualization/Sandbox Evasion                      		Security Account Manager21
                      Security Software Discovery                      		SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)1
                      DLL Side-Loading                      		1
                      Disable or Modify Tools                      		NTDS1
                      Virtualization/Sandbox Evasion                      		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script11
                      Access Token Manipulation                      		LSA Secrets3
                      Process Discovery                      		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.common312
                      Process Injection                      		Cached Domain Credentials1
                      Account Discovery                      		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup Items1
                      Deobfuscate/Decode Files or Information                      		DCSync1
                      System Owner/User Discovery                      		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job3
                      Obfuscated Files or Information                      		Proc Filesystem1
                      File and Directory Discovery                      		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)1
                      Rundll32                      		/etc/passwd and /etc/shadow26
                      System Information Discovery                      		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)2
                      Software Packing                      		Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
                      Compromise Software Dependencies and Development ToolsWindows Command ShellCronCron1
                      Timestomp                      		Input CapturePermission Groups DiscoveryReplication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop
                      Compromise Software Supply ChainUnix ShellLaunchdLaunchd1
                      DLL Side-Loading                      		KeyloggingLocal GroupsComponent Object Model and Distributed COMScreen CaptureExfiltration over USBDNSInhibit System Recovery

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 595330 Sample: mpXUd364Rz Startdate: 23/03/2022 Architecture: WINDOWS Score: 100 41 Antivirus detection for dropped file 2->41 43 Antivirus / Scanner detection for submitted sample 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 5 other signatures 2->47 8 loaddll64.exe 1 2->8         started        process3 process4 10 rundll32.exe 8->10         started        13 cmd.exe 1 8->13         started        15 rundll32.exe 8->15         started        17 rundll32.exe 8->17         started        signatures5 51 Changes memory attributes in foreign processes to executable or writable 10->51 53 Uses Atom Bombing / ProGate to inject into other processes 10->53 55 Queues an APC in another process (thread injection) 10->55 19 explorer.exe 3 61 10->19 injected 23 rundll32.exe 13->23         started        process6 file7 33 C:\Users\user\AppData\Local\...\newdev.dll, PE32+ 19->33 dropped 35 C:\Users\user\AppData\Local\...\SYSDM.CPL, PE32+ 19->35 dropped 37 C:\Users\user\AppData\Local\...\WTSAPI32.dll, PE32+ 19->37 dropped 39 17 other files (3 malicious) 19->39 dropped 49 Benign windows process drops PE files 19->49 25 MDMAppInstaller.exe 19->25         started        27 iexpress.exe 19->27         started        29 SystemPropertiesAdvanced.exe 19->29         started        31 14 other processes 19->31 signatures8 process9

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      mpXUd364Rz.dll64%VirustotalBrowse
                      mpXUd364Rz.dll63%MetadefenderBrowse
                      mpXUd364Rz.dll88%ReversingLabsWin64.Trojan.Occamy
                      mpXUd364Rz.dll100%AviraTR/Crypt.ZPACK.Gen
                      mpXUd364Rz.dll100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Local\USNBng\WTSAPI32.dll100%AviraTR/Crypt.ZPACK.Gen
                      C:\Users\user\AppData\Local\SUX56B\UxTheme.dll100%AviraTR/Crypt.ZPACK.Gen
                      C:\Users\user\AppData\Local\E4DREUfrP\VERSION.dll100%AviraTR/Crypt.ZPACK.Gen
                      C:\Users\user\AppData\Local\lcdNfR\SYSDM.CPL100%AviraTR/Crypt.XPACK.Gen7
                      C:\Users\user\AppData\Local\E4DREUfrP\VERSION.dll100%AviraTR/Crypt.ZPACK.Gen
                      C:\Users\user\AppData\Local\4gdyz\XmlLite.dll100%AviraTR/Crypt.XPACK.Gen7
                      C:\Users\user\AppData\Local\4gdyz\XmlLite.dll100%AviraTR/Crypt.XPACK.Gen7
                      C:\Users\user\AppData\Local\lcdNfR\SYSDM.CPL100%AviraTR/Crypt.XPACK.Gen7
                      C:\Users\user\AppData\Local\E4DREUfrP\VERSION.dll100%AviraTR/Crypt.ZPACK.Gen
                      C:\Users\user\AppData\Local\tivYqgA\newdev.dll100%AviraTR/Crypt.ZPACK.Gen
                      C:\Users\user\AppData\Local\USNBng\WTSAPI32.dll100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\SUX56B\UxTheme.dll100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\E4DREUfrP\VERSION.dll100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\lcdNfR\SYSDM.CPL100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\E4DREUfrP\VERSION.dll100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\4gdyz\XmlLite.dll100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\4gdyz\XmlLite.dll100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\lcdNfR\SYSDM.CPL100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\E4DREUfrP\VERSION.dll100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\tivYqgA\newdev.dll100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\4gdyz\sppsvc.exe0%VirustotalBrowse
                      C:\Users\user\AppData\Local\4gdyz\sppsvc.exe0%MetadefenderBrowse
                      C:\Users\user\AppData\Local\4gdyz\sppsvc.exe0%ReversingLabs
                      C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exe0%VirustotalBrowse
                      C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exe0%MetadefenderBrowse
                      C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exe0%ReversingLabs
                      C:\Users\user\AppData\Local\JvUQhw\MusNotificationUx.exe0%MetadefenderBrowse
                      C:\Users\user\AppData\Local\JvUQhw\MusNotificationUx.exe0%ReversingLabs

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      25.2.wextract.exe.7ffff6cc0000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      8.2.rundll32.exe.7fffe1fd0000.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      31.2.FileHistory.exe.7ffff0db0000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      9.2.rundll32.exe.1eb1b660000.1.unpack100%AviraHEUR/AGEN.1215493Download File
                      40.2.SystemPropertiesComputerName.exe.1dff2b20000.0.unpack100%AviraHEUR/AGEN.1215493Download File
                      20.2.MDMAppInstaller.exe.1ef82540000.0.unpack100%AviraHEUR/AGEN.1215493Download File
                      23.2.iexpress.exe.21c94820000.0.unpack100%AviraHEUR/AGEN.1215493Download File
                      1.2.loaddll64.exe.21a154b0000.0.unpack100%AviraHEUR/AGEN.1215493Download File
                      31.2.FileHistory.exe.171f47e0000.0.unpack100%AviraHEUR/AGEN.1215493Download File
                      4.2.rundll32.exe.254a2cf0000.0.unpack100%AviraHEUR/AGEN.1215493Download File
                      33.2.iexpress.exe.1f07aa30000.0.unpack100%AviraHEUR/AGEN.1215493Download File
                      33.2.iexpress.exe.7ffff0db0000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      9.2.rundll32.exe.7fffe1fd0000.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      5.2.rundll32.exe.18fac3a0000.0.unpack100%AviraHEUR/AGEN.1215493Download File
                      5.2.rundll32.exe.7fffe1fd0000.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      23.2.iexpress.exe.7fffef940000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      36.2.sppsvc.exe.7ffff6cc0000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      20.2.MDMAppInstaller.exe.7fffef940000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      40.2.SystemPropertiesComputerName.exe.7fffe31a0000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      8.2.rundll32.exe.208b54f0000.0.unpack100%AviraHEUR/AGEN.1215493Download File
                      25.2.wextract.exe.10ab1440000.0.unpack100%AviraHEUR/AGEN.1215493Download File
                      29.2.SystemPropertiesAdvanced.exe.7ffff6cc0000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      36.2.sppsvc.exe.1ea000d0000.0.unpack100%AviraHEUR/AGEN.1215493Download File
                      1.2.loaddll64.exe.7fffe1fd0000.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      29.2.SystemPropertiesAdvanced.exe.1efc2bf0000.0.unpack100%AviraHEUR/AGEN.1215493Download File
                      4.2.rundll32.exe.7fffe1fd0000.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File

                      Domains

                      No Antivirus matches

                      URLs

                      No Antivirus matches

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      World Map of Contacted IPs

                      No contacted IP infos

                      General Information

                      Joe Sandbox Version:34.0.0 Boulder Opal
                      Analysis ID:595330
                      Start date and time:2022-03-23 15:11:09 +01:00
                      Joe Sandbox Product:CloudBasic
                      Overall analysis duration:0h 15m 50s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Sample file name:mpXUd364Rz (renamed file extension from none to dll)
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                      Number of analysed new started processes analysed:41
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:1
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • HDC enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Detection:MAL
                      Classification:mal100.troj.evad.winDLL@49/22@0/0
                      EGA Information:
                      • Successful, ratio: 100%
                      HDC Information:
                      • Successful, ratio: 16.3% (good quality ratio 14.2%)
                      • Quality average: 58.7%
                      • Quality standard deviation: 32.6%
                      HCA Information:
                      • Successful, ratio: 98%
                      • Number of executed functions: 75
                      • Number of non-executed functions: 105
                      Cookbook Comments:
                      • Adjust boot time
                      • Enable AMSI
                      • Override analysis time to 240s for rundll32

                      Warnings

                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                      • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, www.bing.com, fs.microsoft.com, login.live.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, arc.msn.com
                      • Not all processes where analyzed, report is missing behavior information
                      • Report creation exceeded maximum time and may have missing disassembly code information.
                      • Report size exceeded maximum capacity and may have missing behavior information.
                      • Report size exceeded maximum capacity and may have missing disassembly code.
                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                      • Report size getting too big, too many NtEnumerateKey calls found.
                      • Report size getting too big, too many NtProtectVirtualMemory calls found.

                      Simulations

                      Behavior and APIs

                      No simulations

                      Joe Sandbox View / Context

                      IPs

                      No context

                      Domains

                      No context

                      ASNs

                      No context

                      JA3 Fingerprints

                      No context

                      Dropped Files

                      No context

                      Created / dropped Files

                      C:\Users\user\AppData\Local\4gdyz\XmlLite.dll

                      Download File
                      Process:C:\Windows\explorer.exe
                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                      Category:dropped
                      Size (bytes):1425408
                      Entropy (8bit):4.916186540013407
                      Encrypted:false
                      SSDEEP:12288:VZgJtlQepQn+NDo7nIYegQCLDF/B9wvj/cLvVZFuw:VZK6F7n5eRmDFJivohZFV
                      MD5:20DE3CEA2C5D6DAD1923E41BD1EB49B3
                      SHA1:C4B64DC5F509A22228E36B5B103945243A2A5A85
                      SHA-256:4DF8884826C1D1CB89429FD439F60355ADC6B9EC9E099860C36F3F4ADE20519A
                      SHA-512:8B70ED002411F4C1D1F774769183F4D53B90A3C7E84248B5C9B6352D739A6C7D1929E728EAA39EEB6A2C43C5B5927049D772A1B36C82C04EBB97FB923B349CDE
                      Malicious:true
                      Antivirus:
                      • Antivirus: Avira, Detection: 100%
                      • Antivirus: Avira, Detection: 100%
                      • Antivirus: Joe Sandbox ML, Detection: 100%
                      • Antivirus: Joe Sandbox ML, Detection: 100%
                      Reputation:unknown
                      Preview:MZ......................@.......................................X..Z.qb..qb..qb.a...jqb.s....qb.9...\qb.s...(qb......qb..#.. qb../b..qb......qb.....Hqb..(c./qb.r,f..qb..(c..qb.;...,qb../..Tqb.....Zqb......qb.z...Bqb.....nqb.....[qb.....qb.;...{qb......qb..#...qb...f.oqb....hqb.z....qb.....:qb.;...tqb.Rich.qb.................................................................................................PE..d.G...}^.........." ..... ...........$.........@..........................................`.................................................$...<....................................................................................0..(............................text............ .........@........ ..`.rdata...o...0...p...0...0.@Co......@..@.data....;.......@.........@.;......@....pdata..8..................@8.......@..@.rsrc......................@........@..@.reloc..1..................@1.......@..B.vxl............. .........@........@..@.qwubgr.$....0... ...0...0.@$.......@..@.eer....

                      C:\Users\user\AppData\Local\4gdyz\sppsvc.exe

                      Download File
                      Process:C:\Windows\explorer.exe
                      File Type:PE32+ executable (GUI) x86-64, for MS Windows
                      Category:dropped
                      Size (bytes):4527680
                      Entropy (8bit):7.180545050051135
                      Encrypted:false
                      SSDEEP:49152:hzB335WOshFXigiF5l5mpb0+bOnBmB8XEsDfA+uLCKls0did8Pf6ZJ6t3Ovenev1:8X5iFrEpdAkZ6W3xYBP149K
                      MD5:FEEC8055C5986182C717DD888000AEF6
                      SHA1:7749D1C531D85C69047576B3BB3525E0B01A2942
                      SHA-256:E09B7B1DE43A226842A4B8C591D712E51585BC7E8A39CFB8852CBF16D234C3A6
                      SHA-512:822869C750682453770C66D7C6665CECCCB0BB27ECEB8E0A9202FE5C194249235928005734504AED79D80583CED2A2F203D4133A11E7F4A8D6160F21F7F3919F
                      Malicious:false
                      Antivirus:
                      • Antivirus: Virustotal, Detection: 0%, Browse
                      • Antivirus: Metadefender, Detection: 0%, Browse
                      • Antivirus: ReversingLabs, Detection: 0%
                      Reputation:unknown
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........-..C..C..C...@..C.......C...G...C...F..C...B...C..B...C...J...C...@..C.....C...A..C.Rich.C.........PE..d...A.Lc..........".......8.........P..........@................CS P..........D.....4.E.....................................................|.A.......D..+....B.4|...ZD.@....@D..n....?.T....................i:.(....h:.............8i:..............................text...L.7.......7................. ..`?g_Encry.-....7.......7............. ..`?g_Encry|-... 8.......8............. ..`?g_Encry.....P8..0...<8............. ..`?g_Encry.-....8......l8............. ..`.rdata........8.......8.............@..@.data.........A.......A.............@....pdata..4|....B..~...BB.............@..@.rsrc....+....D..,....C.............@..@.reloc...n...@D..n....C.............@..B................................................................................................

                      C:\Users\user\AppData\Local\E4DREUfrP\VERSION.dll

                      Download File
                      Process:C:\Windows\explorer.exe
                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                      Category:dropped
                      Size (bytes):1425408
                      Entropy (8bit):4.9173299589094634
                      Encrypted:false
                      SSDEEP:12288:CZgJtlQepQn+NDo7nIYegQCLDF/B9wvj/cLvVZFuw:CZK6F7n5eRmDFJivohZFV
                      MD5:E7C3A342B1FB434A7AF4A61759320B4F
                      SHA1:B23C4D3A98FD042BE1BE555FC962DE774D9226C2
                      SHA-256:F7DF6CCE9489C21D1F9385BFB40FD5E0DCF8AD962A6A0CF20986EDC6A37829FC
                      SHA-512:5253DAF18B82A2F11C42F11E98A73506DDA77FAF253330DA997770B7FCF62E2AA93AAAF50DA4F34FC549C19A74EF8D11DF31C5CACBDF7BE271F93229A7319954
                      Malicious:true
                      Antivirus:
                      • Antivirus: Avira, Detection: 100%
                      • Antivirus: Avira, Detection: 100%
                      • Antivirus: Avira, Detection: 100%
                      • Antivirus: Joe Sandbox ML, Detection: 100%
                      • Antivirus: Joe Sandbox ML, Detection: 100%
                      • Antivirus: Joe Sandbox ML, Detection: 100%
                      Reputation:unknown
                      Preview:MZ......................@.......................................X..Z.qb..qb..qb.a...jqb.s....qb.9...\qb.s...(qb......qb..#.. qb../b..qb......qb.....Hqb..(c./qb.r,f..qb..(c..qb.;...,qb../..Tqb.....Zqb......qb.z...Bqb.....nqb.....[qb.....qb.;...{qb......qb..#...qb...f.oqb....hqb.z....qb.....:qb.;...tqb.Rich.qb.................................................................................................PE..d.G...}^.........." ..... ...........$.........@..........................................`.............................................+...$...<....................................................................................0..(............................text............ .........@........ ..`.rdata...o...0...p...0...0.@Co......@..@.data....;.......@.........@.;......@....pdata..8..................@8.......@..@.rsrc......................@........@..@.reloc..1..................@1.......@..B.vxl............. .........@........@..@.qwubgr.$....0... ...0...0.@$.......@..@.eer....

                      C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exe

                      Download File
                      Process:C:\Windows\explorer.exe
                      File Type:PE32+ executable (GUI) x86-64, for MS Windows
                      Category:dropped
                      Size (bytes):165888
                      Entropy (8bit):6.756750968049146
                      Encrypted:false
                      SSDEEP:3072:oV6Rb3NlzO8Lwmq1cXNDnGOb+ahXNqJohePnq45L840:Y6TdOQXNDGOb+asEwv5L
                      MD5:5EF563C2A4E7B7F4100ECD13B304FC48
                      SHA1:4609D795D758A16B8703CA2E01F250D33816CB81
                      SHA-256:2DFA704A6C0DAAEF91BEF043BA6E3F5B5D2516C97AFFBD39EC2C7278497B1688
                      SHA-512:C372777121C0924519FC2EFDFF461B97B048D845AF14142680A4E95B9679D65583332788322CC87B98D3B1D8E28D0B1AFF74881B63BDA17434E4A8187B6D7CA9
                      Malicious:false
                      Antivirus:
                      • Antivirus: Virustotal, Detection: 0%, Browse
                      • Antivirus: Metadefender, Detection: 0%, Browse
                      • Antivirus: ReversingLabs, Detection: 0%
                      Reputation:unknown
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........a.............d......d......d......d.............d......dd.....d.....Rich............................PE..d....1............"............................@.........................................`.......... ...................................................W...p..........................T...........................@...............@...(............................text............................... ..`.rdata...........0..................@..@.data...42...0......................@....pdata.......p.......&..............@..@.rsrc....W.......X..................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\JvUQhw\MusNotificationUx.exe

                      Download File
                      Process:C:\Windows\explorer.exe
                      File Type:PE32+ executable (GUI) x86-64, for MS Windows
                      Category:dropped
                      Size (bytes):319488
                      Entropy (8bit):6.069929843481676
                      Encrypted:false
                      SSDEEP:6144:NRq8Ez5tCqd6Nr6/TWeRhUz/vMNuEob69hbF1m0lpVGMD8i3ZdTgDt0kcRkdXgl6:NRquQ/TWeRhUz/vMNuEob69hBblHGu3t
                      MD5:114A55D75AC7447F012B6D8EC8B1F7FC
                      SHA1:37D5636D940D0A948000B94C84AD6C41162E593F
                      SHA-256:E188143729B044955881302631BE577381B05B67E9899E09DB3573156719C70E
                      SHA-512:446FD3024710E6994A0085CF3ADC0E395BE131898D7D932B383A19981C41637D27D9DABFB2177DBB62375CF4CCFC13722F5B828FF0FA9BB691F220A73D035586
                      Malicious:false
                      Antivirus:
                      • Antivirus: Metadefender, Detection: 0%, Browse
                      • Antivirus: ReversingLabs, Detection: 0%
                      Reputation:unknown
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0.m.Q.>.Q.>.Q.>.)E>.Q.>.5.?.Q.>.5.?.Q.>.Q.>+Q.>.5.?.Q.>.5.?.Q.>.5.?.Q.>.5)>.Q.>.5.?.Q.>Rich.Q.>........PE..d...O.Uf.........."..........(.......E.........@.............................@......e}............... ......................................8...\.... ..........x............0..........T............................................................................text...L........................... ..`.imrsiv..................................rdata..L...........................@..@.data...............................@....pdata..x...........................@..@.didat..x...........................@....rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................

                      C:\Users\user\AppData\Local\JvUQhw\XmlLite.dll

                      Download File
                      Process:C:\Windows\explorer.exe
                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                      Category:dropped
                      Size (bytes):1425408
                      Entropy (8bit):4.916173894320798
                      Encrypted:false
                      SSDEEP:12288:MZgJtlQepQn+NDo7nIYegQCLDF/B9wvj/cLvVZFuw:MZK6F7n5eRmDFJivohZFV
                      MD5:BC35E5E3135D1B331132CF588262E918
                      SHA1:9F2F3A89B6716D3CB7E022DF721E950BAFD72035
                      SHA-256:9EB14525427FFD5471AE405B49AE241B8F5582814B58AD8362EB668D153CAC3E
                      SHA-512:DA0FD0C2CC0FEF6C3B29178D6E6EB9091A6FF8912A3C8896A2ABA77B94E0F4307AB283DFE51E0D8A8B7C41C0B2D60FB43F1BD17E18D3D8790483CC89E51B5444
                      Malicious:false
                      Reputation:unknown
                      Preview:MZ......................@.......................................X..Z.qb..qb..qb.a...jqb.s....qb.9...\qb.s...(qb......qb..#.. qb../b..qb......qb.....Hqb..(c./qb.r,f..qb..(c..qb.;...,qb../..Tqb.....Zqb......qb.z...Bqb.....nqb.....[qb.....qb.;...{qb......qb..#...qb...f.oqb....hqb.z....qb.....:qb.;...tqb.Rich.qb.................................................................................................PE..d.G...}^.........." ..... ...........$.........@..........................................`.................................................$...<....................................................................................0..(............................text............ .........@........ ..`.rdata...o...0...p...0...0.@Co......@..@.data....;.......@.........@.;......@....pdata..8..................@8.......@..@.rsrc......................@........@..@.reloc..1..................@1.......@..B.vxl............. .........@........@..@.qwubgr.$....0... ...0...0.@$.......@..@.eer....

                      C:\Users\user\AppData\Local\KGg\VERSION.dll

                      Download File
                      Process:C:\Windows\explorer.exe
                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                      Category:dropped
                      Size (bytes):1425408
                      Entropy (8bit):4.917318419857222
                      Encrypted:false
                      SSDEEP:12288:UZgJtlQepQn+NDo7nIYegQCLDF/B9wvj/cLvVZFuw:UZK6F7n5eRmDFJivohZFV
                      MD5:B8D02635D9DDC84EF8C19EF7796742C1
                      SHA1:01B84411DCCEF7225B66814AC273008C1B0EB55E
                      SHA-256:4021794209EF32D64272F184892D6E4ADF21F07090CA6797A26BB4246B0D83B4
                      SHA-512:31F7C4F5F157EAD39569577785FAAA4292E34589EA0280C2E55AB1E1B5ECF34DF513C0672CD1A71499BC63619478D9CD907BEE00BA1D0CABC91DBB6095ED9709
                      Malicious:false
                      Reputation:unknown
                      Preview:MZ......................@.......................................X..Z.qb..qb..qb.a...jqb.s....qb.9...\qb.s...(qb......qb..#.. qb../b..qb......qb.....Hqb..(c./qb.r,f..qb..(c..qb.;...,qb../..Tqb.....Zqb......qb.z...Bqb.....nqb.....[qb.....qb.;...{qb......qb..#...qb...f.oqb....hqb.z....qb.....:qb.;...tqb.Rich.qb.................................................................................................PE..d.G...}^.........." ..... ...........$.........@..........................................`.............................................+...$...<....................................................................................0..(............................text............ .........@........ ..`.rdata...o...0...p...0...0.@Co......@..@.data....;.......@.........@.;......@....pdata..8..................@8.......@..@.rsrc......................@........@..@.reloc..1..................@1.......@..B.vxl............. .........@........@..@.qwubgr.$....0... ...0...0.@$.......@..@.eer....

                      C:\Users\user\AppData\Local\KGg\iexpress.exe

                      Download File
                      Process:C:\Windows\explorer.exe
                      File Type:PE32+ executable (GUI) x86-64, for MS Windows
                      Category:dropped
                      Size (bytes):165888
                      Entropy (8bit):6.756750968049146
                      Encrypted:false
                      SSDEEP:3072:oV6Rb3NlzO8Lwmq1cXNDnGOb+ahXNqJohePnq45L840:Y6TdOQXNDGOb+asEwv5L
                      MD5:5EF563C2A4E7B7F4100ECD13B304FC48
                      SHA1:4609D795D758A16B8703CA2E01F250D33816CB81
                      SHA-256:2DFA704A6C0DAAEF91BEF043BA6E3F5B5D2516C97AFFBD39EC2C7278497B1688
                      SHA-512:C372777121C0924519FC2EFDFF461B97B048D845AF14142680A4E95B9679D65583332788322CC87B98D3B1D8E28D0B1AFF74881B63BDA17434E4A8187B6D7CA9
                      Malicious:false
                      Reputation:unknown
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........a.............d......d......d......d.............d......dd.....d.....Rich............................PE..d....1............"............................@.........................................`.......... ...................................................W...p..........................T...........................@...............@...(............................text............................... ..`.rdata...........0..................@..@.data...42...0......................@....pdata.......p.......&..............@..@.rsrc....W.......X..................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\FileHistory.exe.log

                      Download File
                      Process:C:\Users\user\AppData\Local\SUX56B\FileHistory.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):42
                      Entropy (8bit):4.0050635535766075
                      Encrypted:false
                      SSDEEP:3:QHXMKa/xwwUy:Q3La/xwQ
                      MD5:84CFDB4B995B1DBF543B26B86C863ADC
                      SHA1:D2F47764908BF30036CF8248B9FF5541E2711FA2
                      SHA-256:D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
                      SHA-512:485F0ED45E13F00A93762CBF15B4B8F996553BAA021152FAE5ABA051E3736BCD3CA8F4328F0E6D9E3E1F910C96C4A9AE055331123EE08E3C2CE3A99AC2E177CE
                      Malicious:false
                      Reputation:unknown
                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..

                      C:\Users\user\AppData\Local\SUX56B\FileHistory.exe

                      Download File
                      Process:C:\Windows\explorer.exe
                      File Type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):246784
                      Entropy (8bit):6.054877934071265
                      Encrypted:false
                      SSDEEP:3072:5WQz0maAVV604aFUxzYuVD8o+otIxAGQW7A70TshCbdmyTVulAyXRON:5WZmxPZUxzYuVD8ortIxAGJKSuCbd
                      MD5:989B5BDB2BEAC9F894BBC236F1B67967
                      SHA1:7B964642FEE2D6508E66C615AA6CF7FD95D6196E
                      SHA-256:FF1DE8A606FDB6A932E7A3E5EE5317A6483F08712DE93603C92C058E05A89C0C
                      SHA-512:0360C9FE88743056FD25AC17F12087DAD026B033E590A93F394B00EB486A2F5E2331EDCCA9605AA7573D892FBA41557C9E0EE4FAC69FCA687D6B6F144E5E5249
                      Malicious:false
                      Reputation:unknown
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m.s..k ..k ..k .hh!..k .^. ..k .ho!..k .hb!..k .hj!..k ..j #.k .hn!..k .h. ..k .hi!..k Rich..k ........PE..d................."......t...X.......{.........@............................. ......\.....`.......... ...............................................0....... ..8...............$... ...T...............................................................H............text...{m.......n.................. ..`.nep.................r.............. ..`.rdata...i.......j...x..............@..@.data... ...........................@....pdata..8.... ......................@..@.rsrc........0......................@..@.reloc..$...........................@..B................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\SUX56B\UxTheme.dll

                      Download File
                      Process:C:\Windows\explorer.exe
                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                      Category:dropped
                      Size (bytes):1425408
                      Entropy (8bit):4.928831100074685
                      Encrypted:false
                      SSDEEP:12288:vZgJtlQepQn+NDo7nIYegQCLDF/B9wvj/cLvVZFuw:vZK6F7n5eRmDFJivohZFV
                      MD5:0111789310AC76F95B2EAD6673ADCD80
                      SHA1:09E9622BBFC43CA138A90E85F73C417F845EA1F5
                      SHA-256:8BA36FF9D732805C39FE1718C0064E1D50B98D710BDB636059668DB275C9B5D6
                      SHA-512:1AF365AFC1233FF8C17402D35F8ED974954431BBB25835113E02A8DC7B0C729DC1C91E67B7CB5B8A1C420187ECD4C00B901D77075F15A9BD9323FCA47FB68710
                      Malicious:true
                      Antivirus:
                      • Antivirus: Avira, Detection: 100%
                      • Antivirus: Joe Sandbox ML, Detection: 100%
                      Reputation:unknown
                      Preview:MZ......................@.......................................X..Z.qb..qb..qb.a...jqb.s....qb.9...\qb.s...(qb......qb..#.. qb../b..qb......qb.....Hqb..(c./qb.r,f..qb..(c..qb.;...,qb../..Tqb.....Zqb......qb.z...Bqb.....nqb.....[qb.....qb.;...{qb......qb..#...qb...f.oqb....hqb.z....qb.....:qb.;...tqb.Rich.qb.................................................................................................PE..d.G...}^.........." ..... ...........$.........@..........................................`.................................................$...<....................................................................................0..(............................text............ .........@........ ..`.rdata...o...0...p...0...0.@Co......@..@.data....;.......@.........@.;......@....pdata..8..................@8.......@..@.rsrc......................@........@..@.reloc..1..................@1.......@..B.vxl............. .........@........@..@.qwubgr.$....0... ...0...0.@$.......@..@.eer....

                      C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe

                      Download File
                      Process:C:\Windows\explorer.exe
                      File Type:PE32+ executable (GUI) x86-64, for MS Windows
                      Category:dropped
                      Size (bytes):145920
                      Entropy (8bit):5.742854541048038
                      Encrypted:false
                      SSDEEP:3072:SfzsWjBQoVY9ZxvMlkD6F+UoOxsjlpfzX6:SfzsCBhy9dXUo+epfz
                      MD5:E2C777B6E3CE4C15C5657429A63787A3
                      SHA1:DFFC902982B618201D0DC46B91F1565DC7D04377
                      SHA-256:7E02DBE7D9D4CE4DA15AD56123B0B9809F004F5C64917910BB55C8073DAA92B8
                      SHA-512:2600F0CAE24C02DC64415E5A305AF7BB5B0CE97D9466F06D40430CFD03CE609A598BA10799E4D4A7EB7B1D95DD674F4E2522FA3767133786ED78FE5D7A2B3B05
                      Malicious:false
                      Reputation:unknown
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......OK7..*Y..*Y..*Y.dNZ..*Y.dN]..*Y.dN\..*Y.dNX.(*Y..*X..*Y.dNP..*Y.dN...*Y.dN[..*Y.Rich.*Y.........PE..d....$.6.........."......@...........:.........@....................................(.....`.......... ..........................................@....`.......@..4............p..........T....................R..(....Q..............8R......H...@....................text...k>.......@.................. ..`.rdata.......P.......D..............@..@.data...H....0......................@....pdata..4....@......................@..@.didat.......P......................@....rsrc........`.......0..............@..@.reloc.......p.......8..............@..B........................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\USNBng\WTSAPI32.dll

                      Download File
                      Process:C:\Windows\explorer.exe
                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                      Category:dropped
                      Size (bytes):1425408
                      Entropy (8bit):4.9258357946515945
                      Encrypted:false
                      SSDEEP:12288:WZgJtlQepQn+NDo7nIYegQCLDF/B9wvj/cLvVZFuw:WZK6F7n5eRmDFJivohZFV
                      MD5:F154D9E2FB9AD87BACB1397C9EC31231
                      SHA1:80024165D6485B67EBC2A779072C7151D625297B
                      SHA-256:0F244128762A4CB1C39A4DC45CBB15F1F5C0A5FF963C032C0A1C8F3E971CCA2D
                      SHA-512:BDC2F436372950E3829D323BC079A5426BFD6C5821786DA5A278226383CF851AA72FDACF125C40C1F4821CE902D0E3901AD70F3B08BC4833CBCA3B4E571B17CC
                      Malicious:true
                      Antivirus:
                      • Antivirus: Avira, Detection: 100%
                      • Antivirus: Joe Sandbox ML, Detection: 100%
                      Reputation:unknown
                      Preview:MZ......................@.......................................X..Z.qb..qb..qb.a...jqb.s....qb.9...\qb.s...(qb......qb..#.. qb../b..qb......qb.....Hqb..(c./qb.r,f..qb..(c..qb.;...,qb../..Tqb.....Zqb......qb.z...Bqb.....nqb.....[qb.....qb.;...{qb......qb..#...qb...f.oqb....hqb.z....qb.....:qb.;...tqb.Rich.qb.................................................................................................PE..d.G...}^.........." ..... ...........$.........@..........................................`.................................................$...<....................................................................................0..(............................text............ .........@........ ..`.rdata...o...0...p...0...0.@Co......@..@.data....;.......@.........@.;......@....pdata..8..................@8.......@..@.rsrc......................@........@..@.reloc..1..................@1.......@..B.vxl............. .........@........@..@.qwubgr.$....0... ...0...0.@$.......@..@.eer....

                      C:\Users\user\AppData\Local\lcdNfR\SYSDM.CPL

                      Download File
                      Process:C:\Windows\explorer.exe
                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                      Category:dropped
                      Size (bytes):1425408
                      Entropy (8bit):4.91669283258889
                      Encrypted:false
                      SSDEEP:12288:jZgJtlQepQn+NDo7nIYegQCLDF/B9wvj/cLvVZFuw:jZK6F7n5eRmDFJivohZFV
                      MD5:BA9ACA182F98152AD064B0FF5C7B6683
                      SHA1:ECB3A471CCF3347DE04A124D053574734217B68E
                      SHA-256:691A9F7A2F75780303A9F79B437A9C9D09686E41C51ADB721F0255385B27777E
                      SHA-512:7EA6C1F19CB7132AC068D4015FE6E474BA5604BA1D47B7494E9121A33515EADE3A087BB7ABF08C24B06026E6273272A086CBE83CF7A6D838DB52F7D4C090A3A3
                      Malicious:true
                      Antivirus:
                      • Antivirus: Avira, Detection: 100%
                      • Antivirus: Avira, Detection: 100%
                      • Antivirus: Joe Sandbox ML, Detection: 100%
                      • Antivirus: Joe Sandbox ML, Detection: 100%
                      Reputation:unknown
                      Preview:MZ......................@.......................................X..Z.qb..qb..qb.a...jqb.s....qb.9...\qb.s...(qb......qb..#.. qb../b..qb......qb.....Hqb..(c./qb.r,f..qb..(c..qb.;...,qb../..Tqb.....Zqb......qb.z...Bqb.....nqb.....[qb.....qb.;...{qb......qb..#...qb...f.oqb....hqb.z....qb.....:qb.;...tqb.Rich.qb.................................................................................................PE..d.G...}^.........." ..... ...........$.........@..........................................`.................................................$...<....................................................................................0..(............................text............ .........@........ ..`.rdata...o...0...p...0...0.@Co......@..@.data....;.......@.........@.;......@....pdata..8..................@8.......@..@.rsrc......................@........@..@.reloc..1..................@1.......@..B.vxl............. .........@........@..@.qwubgr.$....0... ...0...0.@$.......@..@.eer....

                      C:\Users\user\AppData\Local\lcdNfR\SystemPropertiesComputerName.exe

                      Download File
                      Process:C:\Windows\explorer.exe
                      File Type:PE32+ executable (GUI) x86-64, for MS Windows
                      Category:dropped
                      Size (bytes):83968
                      Entropy (8bit):7.0666667890606005
                      Encrypted:false
                      SSDEEP:1536:/pmuZctREC/rMcgEPJV+G57ThjEC0kzJP+V5Jp:xHczECTMpuDhjRVJGr
                      MD5:BEE134E1F23AFD3AE58191D265BB9070
                      SHA1:52178976E1B4405157042CD3A095BE6D7975609A
                      SHA-256:7F258CE17EA09F076A767A2D3CC0A06F3AEF07169BFD6A16265B8958758FD799
                      SHA-512:AEDFF7C45288A1CF69616B9887FC091F0913BEFA0EA7642C6A18DB50E4D6369CDC73730B8E6BE4FEDB4EB5EC28729AED39845B2E6F0C0685EBFF60106B54C1A9
                      Malicious:false
                      Reputation:unknown
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%...a..[a..[a..[h..[o..[..Z`..[..Zc..[..Zp..[a..[C..[..Zd..[..Z`..[..q[`..[..Z`..[Richa..[........................PE..d....F$..........."..........>.................@..........................................`.......... .......................................&.......P..H'...@.................. ...."..T............................ ...............!..8............................text............................... ..`.rdata..N.... ......................@..@.data........0......................@....pdata.......@......................@..@.rsrc...H'...P...(..................@..@.reloc.. ............F..............@..B........................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\pUTm\SYSDM.CPL

                      Download File
                      Process:C:\Windows\explorer.exe
                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                      Category:dropped
                      Size (bytes):1425408
                      Entropy (8bit):4.916695574658334
                      Encrypted:false
                      SSDEEP:12288:wZgJtlQepQn+NDo7nIYegQCLDF/B9wvj/cLvVZFuw:wZK6F7n5eRmDFJivohZFV
                      MD5:2BCE47B487FACF09BFF2BEB5E26AFDA3
                      SHA1:F33DF30FF826CB85DEFF4995C2F7BAD45D17DCE8
                      SHA-256:1ED380A7DAEDA7A0C94BFCC6A79975A816B2891BC08034C69703E8775CD6159D
                      SHA-512:2CE56DB7797C5D63AB34420CE7A2EA8FD6A3D043CEA649C0D2CDB3A4FE57B80F4067BEB6DC891A0FAB266919C83FB82CC81CAC8F93E0E8A7F49E800ACBD5C6C8
                      Malicious:false
                      Reputation:unknown
                      Preview:MZ......................@.......................................X..Z.qb..qb..qb.a...jqb.s....qb.9...\qb.s...(qb......qb..#.. qb../b..qb......qb.....Hqb..(c./qb.r,f..qb..(c..qb.;...,qb../..Tqb.....Zqb......qb.z...Bqb.....nqb.....[qb.....qb.;...{qb......qb..#...qb...f.oqb....hqb.z....qb.....:qb.;...tqb.Rich.qb.................................................................................................PE..d.G...}^.........." ..... ...........$.........@..........................................`.................................................$...<....................................................................................0..(............................text............ .........@........ ..`.rdata...o...0...p...0...0.@Co......@..@.data....;.......@.........@.;......@....pdata..8..................@8.......@..@.rsrc......................@........@..@.reloc..1..................@1.......@..B.vxl............. .........@........@..@.qwubgr.$....0... ...0...0.@$.......@..@.eer....

                      C:\Users\user\AppData\Local\pUTm\SystemPropertiesAdvanced.exe

                      Download File
                      Process:C:\Windows\explorer.exe
                      File Type:PE32+ executable (GUI) x86-64, for MS Windows
                      Category:dropped
                      Size (bytes):83968
                      Entropy (8bit):7.065147438048501
                      Encrypted:false
                      SSDEEP:1536:UfuZktREC/rMcgEPJV+G57ThjEC0kzJP+V5Jl:VkzECTMpuDhjRVJG3
                      MD5:82ED6250B9AA030DDC13DC075D2C16E3
                      SHA1:BC2BDCF474A7315232136B29291166E789D1F280
                      SHA-256:F321BB53BBC41C2CBFFABC56837F9FA723AA0C6ACB68A0C200CBC7427202DC9E
                      SHA-512:94D34293F070F6505D6922977AC1EF8E08DB0D92DCA8823BCF7376FD81B3AA80D2BD0FEF21FC74BCE08EEBF82DF09114A71792945DE4E3BB1FD0929538DF489B
                      Malicious:false
                      Reputation:unknown
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%...a..[a..[a..[h..[o..[..Z`..[..Zc..[..Zp..[a..[C..[..Zd..[..Z`..[..q[`..[..Z`..[Richa..[........................PE..d.....o..........."..........>.................@....................................AS....`.......... .......................................&.......P..0'...@.................. ...."..T............................ ...............!..8............................text............................... ..`.rdata..N.... ......................@..@.data........0......................@....pdata.......@......................@..@.rsrc...0'...P...(..................@..@.reloc.. ............F..............@..B........................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\tivYqgA\InfDefaultInstall.exe

                      Download File
                      Process:C:\Windows\explorer.exe
                      File Type:PE32+ executable (GUI) x86-64, for MS Windows
                      Category:dropped
                      Size (bytes):13312
                      Entropy (8bit):4.871127662725052
                      Encrypted:false
                      SSDEEP:192:kXe0PT5V21py9AA/lvmBfXWqFwO6Wdz3ios9aW/GW:kXe5pgAMhAXWq6OFZcaW/GW
                      MD5:5FDB30927E9D4387D777443BF865EEFD
                      SHA1:E802BE85298183F050141EAEB87930657A8E07A6
                      SHA-256:C57CE112AB04B00CC7270B6D76F005FFB8E2ED3ADC6904CF5C5F184EE077FA32
                      SHA-512:776F5B5640C22373E641DE4C3C6F4C7DFF0CD39662108B8DFA070EE0A867B3A6401976BD2B78BC766D469105AF2E6E466C4140FFE40C49146BB6B09591676773
                      Malicious:false
                      Reputation:unknown
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............mo..mo..mo..j..mo..l..mo..k..mo..n..mo..mn..mo..g..mo.....mo..m..mo.Rich.mo.........PE..d......K.........."..........&......@..........@.............................p......?:....`.......... .......................................&.......P.......@...............`.. ....#..T............................ ...............!...............................text...@........................... ..`.rdata....... ......................@..@.data........0....... ..............@....pdata.......@......."..............@..@.rsrc........P.......$..............@..@.reloc.. ....`.......2..............@..B................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\tivYqgA\newdev.dll

                      Download File
                      Process:C:\Windows\explorer.exe
                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                      Category:dropped
                      Size (bytes):1425408
                      Entropy (8bit):4.918885153527605
                      Encrypted:false
                      SSDEEP:12288:MZgJtlQepQn+NDo7nIYegQCLDF/B9wvj/cLvVZFuw:MZK6F7n5eRmDFJivohZFV
                      MD5:EC010E746CB3015368C614116974F7C3
                      SHA1:487E2034D56891ED4944FBB3C6A5B60A564D9242
                      SHA-256:BD3080241DD119ED49AD8018720A2DF840A2A5CB0B2805838FCB96D042F9C11E
                      SHA-512:91CA03EFAE7230D39C834899C7AFB5A5DA189FA064939929EC4E171B8790A780DB60331941CB32D8E1018D179A50ED8F7785EF86D462D7DDC23A90CB8B6E8E6B
                      Malicious:true
                      Antivirus:
                      • Antivirus: Avira, Detection: 100%
                      • Antivirus: Joe Sandbox ML, Detection: 100%
                      Reputation:unknown
                      Preview:MZ......................@.......................................X..Z.qb..qb..qb.a...jqb.s....qb.9...\qb.s...(qb......qb..#.. qb../b..qb......qb.....Hqb..(c./qb.r,f..qb..(c..qb.;...,qb../..Tqb.....Zqb......qb.z...Bqb.....nqb.....[qb.....qb.;...{qb......qb..#...qb...f.oqb....hqb.z....qb.....:qb.;...tqb.Rich.qb.................................................................................................PE..d.G...}^.........." ..... ...........$.........@..........................................`.............................................]...$...<....................................................................................0..(............................text............ .........@........ ..`.rdata...o...0...p...0...0.@Co......@..@.data....;.......@.........@.;......@....pdata..8..................@8.......@..@.rsrc......................@........@..@.reloc..1..................@1.......@..B.vxl............. .........@........@..@.qwubgr.$....0... ...0...0.@$.......@..@.eer....

                      C:\Users\user\AppData\Local\xwE\VERSION.dll

                      Download File
                      Process:C:\Windows\explorer.exe
                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                      Category:dropped
                      Size (bytes):1425408
                      Entropy (8bit):4.917302008805113
                      Encrypted:false
                      SSDEEP:12288:8ZgJtlQepQn+NDo7nIYegQCLDF/B9wvj/cLvVZFuw:8ZK6F7n5eRmDFJivohZFV
                      MD5:C6081FA40DD019E8A1A6BD108BDCEC7B
                      SHA1:ACC21C013C4BAD0D1E8898D378F228992FA08597
                      SHA-256:F747A95A6B92DA91FD9DF5471682F76B77E4A260327108C0D1D411C8FB13E9BD
                      SHA-512:6DE330AFB4410EC7B866FA060BAD61751310AB9CBAC171423CD849D5B3D6033A7D2273164CBB639100F43176ABF0E790186D175F720B7AD29D8769BE0175A8EE
                      Malicious:false
                      Reputation:unknown
                      Preview:MZ......................@.......................................X..Z.qb..qb..qb.a...jqb.s....qb.9...\qb.s...(qb......qb..#.. qb../b..qb......qb.....Hqb..(c./qb.r,f..qb..(c..qb.;...,qb../..Tqb.....Zqb......qb.z...Bqb.....nqb.....[qb.....qb.;...{qb......qb..#...qb...f.oqb....hqb.z....qb.....:qb.;...tqb.Rich.qb.................................................................................................PE..d.G...}^.........." ..... ...........$.........@..........................................`.............................................+...$...<....................................................................................0..(............................text............ .........@........ ..`.rdata...o...0...p...0...0.@Co......@..@.data....;.......@.........@.;......@....pdata..8..................@8.......@..@.rsrc......................@........@..@.reloc..1..................@1.......@..B.vxl............. .........@........@..@.qwubgr.$....0... ...0...0.@$.......@..@.eer....

                      C:\Users\user\AppData\Local\xwE\wextract.exe

                      Download File
                      Process:C:\Windows\explorer.exe
                      File Type:PE32+ executable (GUI) x86-64, for MS Windows
                      Category:dropped
                      Size (bytes):143872
                      Entropy (8bit):6.942627183104786
                      Encrypted:false
                      SSDEEP:3072:0BuGag041hcWp1icKAArDZz4N9GhbkUNEk95l:5hudp0yN90vE
                      MD5:ED93B350C8EEFC442758A00BC3EEDE2D
                      SHA1:ADD14417939801C555BBBFFAF7388BD13DE2DE42
                      SHA-256:ABD6D466E30626636D380A3C9FCC0D0B909C450F8EA74D8963881D7C46335CED
                      SHA-512:7BA8D1411D9AEE3447494E248005A43F522CA684839FCD4C4592946B12DC4E73B1FF86D8E843B25A73E3F2463955815470304E4F219B36DBC94870BEBF700581
                      Malicious:false
                      Reputation:unknown
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........e...............`.......`.......`.......`..........,....`.......`0......`......Rich............................PE..d...._.{.........."......r...........w.........@.....................................R....`.......... .......................................................................... .......T............................................... ............................text....q.......r.................. ..`.rdata...".......$...v..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc.. ............0..............@..B................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\bc49718863ee53e026d805ec372039e9_d06ed635-68f6-4e9a-955c-4899f5f57b9a

                      Download File
                      Process:C:\Windows\explorer.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):1450
                      Entropy (8bit):7.3521104906654084
                      Encrypted:false
                      SSDEEP:24:UMveCU72gUAqtkT3uNuoDh8GQSkuFvZrOKTyEgloXExwlOkk7jAqteaAB5ca:UCez71UITgsHSjvrTyEgGwwOkk/yPB6a
                      MD5:E5517F1E7F0DB67CE997DCD63DA2131B
                      SHA1:2F9ADF9CBE58DAC2A2ED13536DF7BE47B6307AFE
                      SHA-256:5D393037E0DD30F76B36E7E64184FC1E891EE4B69CBECC61FD16FF2DFE24F2C3
                      SHA-512:B687E8413D0080FB20BD26AB56230AACD5CF42AD6B414FD47FE8C981DE53C81B4AED7026A6756AC8157F11D1F6EC9667BE9C9006C56D21DCC1481F508142EFEC
                      Malicious:false
                      Reputation:unknown
                      Preview:........................................user.....................RSA1.....................K)at.b.O;.u..%.. ....uO.....M(..6.Nt.7...+...F.p..@x............Q..k._....E3E.06J....@#.7?....x...../.dn..P$...Y.IWG.....................z..O..........d..G...,c.R.....,...C.r.y.p.t.o.A.P.I. .P.r.i.v.a.t.e. .K.e.y....f...... ......z^.`....$4.......]...._$M............ ...}r.9...L...V."..Y\S.])..n.=).-.....I....`..9..W.pdhu..R.Y.WZ.(/5)..N.T.G6........R....vvz..0.yd..pr.52.v(..^.._..!..Sdjq0.,B....-T5..*..0.m.....p..\...>D....r.j.b].M*E\Fr..+c.7.n...b.....ta.t....A.PZ......j;`.m.$*...A|..2$..."...:..eS......;(;Y....5n./.}....qd..>.P..... `D.@&7H.J=8...3)n.....%............&........G.....yN{................g...N.....F.W.K.@..gS..c.U.V. p..5./.!..%3.X7......$.7........U.+yzpnx.l.....l.j .f....\b.q.>..+q$..u.U...(....PO;t.9.|...;&.8E.Y.c.&..@..i..p..L.....Ws;...................Z..JZM..I>.L.0.3),.3...+t.#../.+..j..^w.k..O...F(r|mh..5.....z:^Bk.z,..0...&.Pb..%

                      Static File Info

                      General

                      File type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                      Entropy (8bit):4.928559438186432
                      TrID:
                      • Win64 Dynamic Link Library (generic) (102004/3) 86.43%
                      • Win64 Executable (generic) (12005/4) 10.17%
                      • Generic Win/DOS Executable (2004/3) 1.70%
                      • DOS Executable Generic (2002/1) 1.70%
                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
                      File name:mpXUd364Rz.dll
                      File size:1421312
                      MD5:76a03b741a85be73b47b1a72cea1becb
                      SHA1:f453704ee0177d5771766870bc871e7c048a6c61
                      SHA256:7fb4c95a329b24e6ab6742747cf896ae5125599548d38388fcb887b3fb871339
                      SHA512:86c59d8d2c2111175d541dd17ecc7b1ab89eb0e5400f2db21d70346af7871d2ac3008aca9ec762bbd7508b2c8ac9122111bfc83356c1d413bf1c693fbc74ec95
                      SSDEEP:12288:LZgJtlQepQn+NDo7nIYegQCLDF/B9wvj/cLvVZFuw:LZK6F7n5eRmDFJivohZFV
                      File Content Preview:MZ......................@.......................................X..Z.qb..qb..qb.a...jqb.s....qb.9...\qb.s...(qb......qb..#.. qb../b..qb......qb.....Hqb..(c./qb.r,f..qb..(c..qb.;...,qb../..Tqb.....Zqb......qb.z...Bqb.....nqb.....[qb......qb.;...{qb......qb

                      File Icon

                      Icon Hash:74f0e4ecccdce0e4

                      Static PE Info

                      General

                      Entrypoint:0x1400424b0
                      Entrypoint Section:.text
                      Digitally signed:false
                      Imagebase:0x140000000
                      Subsystem:windows gui
                      Image File Characteristics:EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
                      DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                      Time Stamp:0x5E7D9D05 [Fri Mar 27 06:28:21 2020 UTC]
                      TLS Callbacks:
                      CLR (.Net) Version:
                      OS Version Major:5
                      OS Version Minor:0
                      File Version Major:5
                      File Version Minor:0
                      Subsystem Version Major:5
                      Subsystem Version Minor:0
                      Import Hash:4a2e61e1749a0183eccaadb9c4ef6ec2

                      Entrypoint Preview

                      Instruction
                      dec eax
                      mov dword ptr [00070639h], ecx
                      dec eax
                      lea ecx, dword ptr [FFFFF2F2h]
                      dec esp
                      mov dword ptr [0007064Bh], eax
                      dec esp
                      mov dword ptr [00070654h], edi
                      dec esp
                      mov dword ptr [00070655h], esi
                      dec eax
                      xor eax, eax
                      dec eax
                      inc eax
                      dec eax
                      add ecx, eax
                      dec esp
                      mov dword ptr [00070655h], esp
                      dec eax
                      dec ecx
                      dec eax
                      mov dword ptr [00070653h], esi
                      dec eax
                      test eax, eax
                      je 00007F8D44EAC25Dh
                      dec eax
                      mov dword ptr [0007060Fh], esp
                      dec eax
                      mov dword ptr [00070600h], ebp
                      dec eax
                      mov dword ptr [00070649h], ebx
                      dec eax
                      mov dword ptr [0007063Ah], edi
                      dec eax
                      test eax, eax
                      je 00007F8D44EAC23Ch
                      dec esp
                      mov dword ptr [000705FEh], ecx
                      dec esp
                      mov dword ptr [0007060Fh], ebp
                      dec eax
                      mov dword ptr [000705D0h], edx
                      jmp ecx
                      dec eax
                      add edi, ecx
                      retn 0008h
                      ud2
                      int3
                      int3
                      int3
                      int3
                      int3
                      int3
                      int3
                      int3
                      int3
                      int3
                      int3
                      int3
                      int3
                      int3
                      push esi
                      dec eax
                      sub esp, 00000080h
                      dec eax
                      mov dword ptr [esp+78h], 58225FC8h
                      mov dword ptr [esp+60h], 2DFAE652h
                      mov al, byte ptr [esp+77h]
                      mov dl, al
                      add dl, FFFFFF85h
                      mov byte ptr [esp+77h], dl
                      mov word ptr [esp+5Eh], 3327h
                      dec esp
                      mov eax, dword ptr [esp+78h]
                      inc esp
                      mov ecx, dword ptr [esp+64h]

                      Data Directories

                      NameVirtual AddressVirtual Size Is in Section
                      IMAGE_DIRECTORY_ENTRY_EXPORT0x15a0100x22b.kuh
                      IMAGE_DIRECTORY_ENTRY_IMPORT0xa99240x3c.rdata
                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xbf0000x3d8.rsrc
                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                      IMAGE_DIRECTORY_ENTRY_SECURITY0x10000x0.text
                      IMAGE_DIRECTORY_ENTRY_BASERELOC0xc00000xefc.reloc
                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IAT0x430000x28.rdata
                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                      Sections

                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                      .text0x10000x418cc0x42000False0.781412760417data7.78392111205IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      .rdata0x430000x66fe70x67000False0.700320938258data7.87281050709IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .data0xaa0000x13ba70x14000False0.0782836914062data2.51707039551IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                      .pdata0xbe0000x1380x1000False0.061279296875PEX Binary Archive0.599172422844IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .rsrc0xbf0000x69e0x1000False0.123291015625data1.07831823765IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .reloc0xc00000xf310x1000False0.416748046875data5.36145191459IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                      .vxl0xc10000x14d40x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .qwubgr0xc30000x11240x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .eer0xc50000x1e660x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .xwwauf0xc70000x9cd0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .pkc0xc80000x42a0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .npkda0xc90000x7360x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .vhs0xca0000x1af0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .iaywj0xcb0000x14550x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .nasi0xcd0000x8fe0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .zhvprh0xce0000x6cd00x7000False0.00177873883929data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .yatdsp0xd50000x5430x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .njso0xd60000x12780x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .lgliat0xd80000x7360x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .ntqjh0xd90000xbf60x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .sucsek0xda0000x23b0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .qsxjui0xdb0000x9cd0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .twctcm0xdc0000x11240x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .nms0xde0000x23b0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .ogj0xdf0000x12780x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .vrkgb0xe10000x7060x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .gikfw0xe20000x8fe0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .ktl0xe30000x9cd0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .crcn0xe40000x5a70x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .wtfr0xe50000x1ee0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .hep0xe60000x13e0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .ywg0xe70000xd330x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .sqsp0xe80000x2da0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .gzb0xe90000x23b0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .fatlss0xea0000x7360x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .plqa0xeb0000x13e0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .vzt0xec0000x13e0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .dsbyd0xed0000x1e660x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .cdelc0xef0000x7360x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .qkhkj0xf00000x5a70x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .mnzegr0xf10000x13e0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .krw0xf20000x23b0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .jvsmn0xf30000x3890x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .bygpq0xf40000x12780x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .kzdbu0xf60000xbde0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .mwxorn0xf70000x3fe0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .raf0xf80000x3890x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .zcyw0xf90000x2da0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .zeczh0xfa0000x128f0x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .pvv0xfc0000x13e0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .lug0xfd0000x451740x46000False0.0010498046875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .ski0x1430000x8fe0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .japjd0x1440000x128f0x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .mwtzml0x1460000x8fe0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .vgssf0x1470000x13e0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .gsroye0x1480000x12780x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .vcmr0x14a0000x23b0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .kvjqnl0x14b0000x23b0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .zlu0x14c0000x8fe0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .nrcvk0x14d0000x3fe0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .pfz0x14e0000x12780x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .hxz0x1500000x1f2a0x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .snjrs0x1520000x7360x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .bffts0x1530000x128f0x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .gknvh0x1550000x13e0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .mifiod0x1560000x23b0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .whmsy0x1570000x8fe0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .wtuzur0x1580000x8fe0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .lwtn0x1590000x3fe0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .kuh0x15a0000x23b0x1000False0.081298828125data1.12911235994IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                      Resources

                      NameRVASizeTypeLanguageCountry
                      RT_VERSION0xbf0a00x2dcdataEnglishUnited States
                      RT_MANIFEST0xbf3800x56ASCII text, with CRLF line terminatorsEnglishUnited States

                      Imports

                      DLLImport
                      ADVAPI32.dllGetServiceDisplayNameW
                      KERNEL32.dllLoadLibraryA, HeapUnlock

                      Exports

                      NameOrdinalAddress
                      GetFileVersionInfoA10x140005ff8
                      GetFileVersionInfoByHandle20x14003d2fc
                      GetFileVersionInfoExA30x140016048
                      GetFileVersionInfoExW40x14001f07c
                      GetFileVersionInfoSizeA50x140028014
                      GetFileVersionInfoSizeExA60x140004d40
                      GetFileVersionInfoSizeExW70x140042050
                      GetFileVersionInfoSizeW80x1400236bc
                      GetFileVersionInfoW90x14001dcf4
                      VerFindFileA100x140019c98
                      VerFindFileW110x1400083e0
                      VerInstallFileA120x140023dcc
                      VerInstallFileW130x1400301c4
                      VerLanguageNameA140x14001fea8
                      VerLanguageNameW150x14003dca4
                      VerQueryValueA160x14001eed0
                      VerQueryValueW170x14002bafc

                      Version Infos

                      DescriptionData
                      LegalCopyright Microsoft Corporation. All rights
                      InternalNamedpnhup
                      FileVersion1.56
                      CompanyNameMicrosoft C
                      ProductNameSysinternals Streams
                      ProductVersion6.1
                      FileDescriptionThai K
                      OriginalFilenamedpnhupnp.d
                      Translation0x0409 0x04b0

                      Possible Origin

                      Language of compilation systemCountry where language is spokenMap
                      EnglishUnited States

                      Network Behavior

                      No network behavior found

                      Statistics

                      CPU Usage

                      Click to jump to process

                      Memory Usage

                      Click to jump to process

                      High Level Behavior Distribution

                      Click to dive into process behavior distribution

                      Behavior

                      Click to jump to process

                      System Behavior

                      General

                      Target ID:1
                      Start time:16:12:12
                      Start date:23/03/2022
                      Path:C:\Windows\System32\loaddll64.exe
                      Wow64 process (32bit):false
                      Commandline:loaddll64.exe "C:\Users\user\Desktop\mpXUd364Rz.dll"
                      Imagebase:0x7ff7f06b0000
                      File size:140288 bytes
                      MD5 hash:4E8A40CAD6CCC047914E3A7830A2D8AA
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                      Reputation:moderate

                      General

                      Target ID:3
                      Start time:16:12:12
                      Start date:23/03/2022
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\mpXUd364Rz.dll",#1
                      Imagebase:0x7ff7bb450000
                      File size:273920 bytes
                      MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high

                      General

                      Target ID:4
                      Start time:16:12:13
                      Start date:23/03/2022
                      Path:C:\Windows\System32\rundll32.exe
                      Wow64 process (32bit):false
                      Commandline:rundll32.exe C:\Users\user\Desktop\mpXUd364Rz.dll,GetFileVersionInfoA
                      Imagebase:0x7ff720760000
                      File size:69632 bytes
                      MD5 hash:73C519F050C20580F8A62C849D49215A
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000004.00000002.336980954.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                      Reputation:high

                      General

                      Target ID:5
                      Start time:16:12:13
                      Start date:23/03/2022
                      Path:C:\Windows\System32\rundll32.exe
                      Wow64 process (32bit):false
                      Commandline:rundll32.exe "C:\Users\user\Desktop\mpXUd364Rz.dll",#1
                      Imagebase:0x7ff720760000
                      File size:69632 bytes
                      MD5 hash:73C519F050C20580F8A62C849D49215A
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000005.00000002.239061197.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                      Reputation:high

                      General

                      Target ID:6
                      Start time:16:12:14
                      Start date:23/03/2022
                      Path:C:\Windows\explorer.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\Explorer.EXE
                      Imagebase:0x7ff6f3b00000
                      File size:3933184 bytes
                      MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high

                      General

                      Target ID:8
                      Start time:16:12:16
                      Start date:23/03/2022
                      Path:C:\Windows\System32\rundll32.exe
                      Wow64 process (32bit):false
                      Commandline:rundll32.exe C:\Users\user\Desktop\mpXUd364Rz.dll,GetFileVersionInfoByHandle
                      Imagebase:0x7ff720760000
                      File size:69632 bytes
                      MD5 hash:73C519F050C20580F8A62C849D49215A
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000008.00000002.246338634.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                      Reputation:high

                      General

                      Target ID:9
                      Start time:16:12:20
                      Start date:23/03/2022
                      Path:C:\Windows\System32\rundll32.exe
                      Wow64 process (32bit):false
                      Commandline:rundll32.exe C:\Users\user\Desktop\mpXUd364Rz.dll,GetFileVersionInfoExA
                      Imagebase:0x7ff720760000
                      File size:69632 bytes
                      MD5 hash:73C519F050C20580F8A62C849D49215A
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000009.00000002.253527112.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                      Reputation:high

                      General

                      Target ID:19
                      Start time:16:13:01
                      Start date:23/03/2022
                      Path:C:\Windows\System32\MDMAppInstaller.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\MDMAppInstaller.exe
                      Imagebase:0x7ff747020000
                      File size:145920 bytes
                      MD5 hash:E2C777B6E3CE4C15C5657429A63787A3
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:moderate

                      General

                      Target ID:20
                      Start time:16:13:04
                      Start date:23/03/2022
                      Path:C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Users\user\AppData\Local\USNBng\MDMAppInstaller.exe
                      Imagebase:0x7ff77c190000
                      File size:145920 bytes
                      MD5 hash:E2C777B6E3CE4C15C5657429A63787A3
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000014.00000002.369557700.00007FFFEF941000.00000020.00000001.01000000.0000000B.sdmp, Author: Joe Security
                      Reputation:moderate

                      General

                      Target ID:22
                      Start time:16:13:15
                      Start date:23/03/2022
                      Path:C:\Windows\System32\iexpress.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\iexpress.exe
                      Imagebase:0x7ff6614e0000
                      File size:165888 bytes
                      MD5 hash:5EF563C2A4E7B7F4100ECD13B304FC48
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      General

                      Target ID:23
                      Start time:16:13:20
                      Start date:23/03/2022
                      Path:C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Users\user\AppData\Local\E4DREUfrP\iexpress.exe
                      Imagebase:0x7ff700cd0000
                      File size:165888 bytes
                      MD5 hash:5EF563C2A4E7B7F4100ECD13B304FC48
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000017.00000002.405019771.00007FFFEF941000.00000020.00000001.01000000.0000000D.sdmp, Author: Joe Security
                      Antivirus matches:
                      • Detection: 0%, Virustotal, Browse
                      • Detection: 0%, Metadefender, Browse
                      • Detection: 0%, ReversingLabs

                      General

                      Target ID:24
                      Start time:16:13:32
                      Start date:23/03/2022
                      Path:C:\Windows\System32\wextract.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\wextract.exe
                      Imagebase:0x7ff6349d0000
                      File size:143872 bytes
                      MD5 hash:ED93B350C8EEFC442758A00BC3EEDE2D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      General

                      Target ID:25
                      Start time:16:13:34
                      Start date:23/03/2022
                      Path:C:\Users\user\AppData\Local\xwE\wextract.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Users\user\AppData\Local\xwE\wextract.exe
                      Imagebase:0x7ff78e550000
                      File size:143872 bytes
                      MD5 hash:ED93B350C8EEFC442758A00BC3EEDE2D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000019.00000002.434475222.00007FFFF6CC1000.00000020.00000001.01000000.0000000F.sdmp, Author: Joe Security

                      General

                      Target ID:28
                      Start time:16:13:45
                      Start date:23/03/2022
                      Path:C:\Windows\System32\SystemPropertiesAdvanced.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\SystemPropertiesAdvanced.exe
                      Imagebase:0x7ff6e4c60000
                      File size:83968 bytes
                      MD5 hash:82ED6250B9AA030DDC13DC075D2C16E3
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      General

                      Target ID:29
                      Start time:16:13:47
                      Start date:23/03/2022
                      Path:C:\Users\user\AppData\Local\pUTm\SystemPropertiesAdvanced.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Users\user\AppData\Local\pUTm\SystemPropertiesAdvanced.exe
                      Imagebase:0x7ff773110000
                      File size:83968 bytes
                      MD5 hash:82ED6250B9AA030DDC13DC075D2C16E3
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 0000001D.00000002.467061353.00007FFFF6CC1000.00000020.00000001.01000000.00000011.sdmp, Author: Joe Security

                      General

                      Target ID:30
                      Start time:16:14:01
                      Start date:23/03/2022
                      Path:C:\Windows\System32\FileHistory.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\FileHistory.exe
                      Imagebase:0x7ff70be70000
                      File size:246784 bytes
                      MD5 hash:989B5BDB2BEAC9F894BBC236F1B67967
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      General

                      Target ID:31
                      Start time:16:14:02
                      Start date:23/03/2022
                      Path:C:\Users\user\AppData\Local\SUX56B\FileHistory.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Users\user\AppData\Local\SUX56B\FileHistory.exe
                      Imagebase:0x7ff6f1240000
                      File size:246784 bytes
                      MD5 hash:989B5BDB2BEAC9F894BBC236F1B67967
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:.Net C# or VB.NET
                      Yara matches:
                      • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 0000001F.00000002.477016719.00007FFFF0DB1000.00000020.00000001.01000000.00000013.sdmp, Author: Joe Security

                      General

                      Target ID:32
                      Start time:16:14:05
                      Start date:23/03/2022
                      Path:C:\Windows\System32\iexpress.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\iexpress.exe
                      Imagebase:0x7ff6614e0000
                      File size:165888 bytes
                      MD5 hash:5EF563C2A4E7B7F4100ECD13B304FC48
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      General

                      Target ID:33
                      Start time:16:14:07
                      Start date:23/03/2022
                      Path:C:\Users\user\AppData\Local\KGg\iexpress.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Users\user\AppData\Local\KGg\iexpress.exe
                      Imagebase:0x7ff6ecf60000
                      File size:165888 bytes
                      MD5 hash:5EF563C2A4E7B7F4100ECD13B304FC48
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000021.00000002.512237394.00007FFFF0DB1000.00000020.00000001.01000000.00000016.sdmp, Author: Joe Security

                      General

                      Target ID:35
                      Start time:16:14:22
                      Start date:23/03/2022
                      Path:C:\Windows\System32\sppsvc.exe
                      Wow64 process (32bit):
                      Commandline:C:\Windows\system32\sppsvc.exe
                      Imagebase:
                      File size:4527680 bytes
                      MD5 hash:FEEC8055C5986182C717DD888000AEF6
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      General

                      Target ID:36
                      Start time:16:14:24
                      Start date:23/03/2022
                      Path:C:\Users\user\AppData\Local\4gdyz\sppsvc.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Users\user\AppData\Local\4gdyz\sppsvc.exe
                      Imagebase:0x7ff74eb10000
                      File size:4527680 bytes
                      MD5 hash:FEEC8055C5986182C717DD888000AEF6
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000024.00000002.560357001.00007FFFF6CC1000.00000020.00000001.01000000.00000018.sdmp, Author: Joe Security
                      Antivirus matches:
                      • Detection: 0%, Virustotal, Browse
                      • Detection: 0%, Metadefender, Browse
                      • Detection: 0%, ReversingLabs

                      General

                      Target ID:39
                      Start time:16:14:45
                      Start date:23/03/2022
                      Path:C:\Windows\System32\SystemPropertiesComputerName.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\SystemPropertiesComputerName.exe
                      Imagebase:0x7ff7f9760000
                      File size:83968 bytes
                      MD5 hash:BEE134E1F23AFD3AE58191D265BB9070
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      General

                      Target ID:40
                      Start time:16:14:47
                      Start date:23/03/2022
                      Path:C:\Users\user\AppData\Local\lcdNfR\SystemPropertiesComputerName.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Users\user\AppData\Local\lcdNfR\SystemPropertiesComputerName.exe
                      Imagebase:0x7ff6726f0000
                      File size:83968 bytes
                      MD5 hash:BEE134E1F23AFD3AE58191D265BB9070
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000028.00000002.595122213.00007FFFE31A1000.00000020.00000001.01000000.0000001B.sdmp, Author: Joe Security

                      General

                      Target ID:41
                      Start time:16:15:03
                      Start date:23/03/2022
                      Path:C:\Windows\System32\InfDefaultInstall.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\InfDefaultInstall.exe
                      Imagebase:0x7ff64c2b0000
                      File size:13312 bytes
                      MD5 hash:5FDB30927E9D4387D777443BF865EEFD
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language

                      Disassembly

                      Reset < >

                        Execution Graph

                        Execution Coverage:2.4%
                        Dynamic/Decrypted Code Coverage:100%
                        Signature Coverage:42.7%
                        Total number of Nodes:398
                        Total number of Limit Nodes:45
                        execution_graph 76101 7fffe20170f0 76102 7fffe2017110 76101->76102 76103 7fffe2017146 76101->76103 76109 7fffe2019ad0 76102->76109 76104 7fffe2019ad0 _RunAllParam 2 API calls 76103->76104 76106 7fffe2017155 76104->76106 76108 7fffe2017128 RtlCreateHeap 76108->76103 76110 7fffe2019ae5 _RunAllParam 76109->76110 76111 7fffe201711f 76110->76111 76119 7fffe20186f0 76110->76119 76111->76103 76111->76108 76113 7fffe2019b06 76114 7fffe2019b1d 76113->76114 76125 7fffe20197d0 76113->76125 76114->76111 76143 7fffe2018a60 76114->76143 76117 7fffe2019b12 76117->76111 76118 7fffe20186f0 _RunAllParam 2 API calls 76117->76118 76118->76114 76122 7fffe2018728 76119->76122 76120 7fffe2018796 _RunAllParam 76120->76113 76122->76120 76123 7fffe20188a3 _RunAllParam 76122->76123 76149 7fffe2035760 76122->76149 76123->76120 76124 7fffe2019ad0 _RunAllParam 2 API calls 76123->76124 76124->76120 76126 7fffe20197f6 _RunAllParam 76125->76126 76153 7fffe2019230 76126->76153 76128 7fffe2019912 _RunAllParam 76130 7fffe202ec40 _RunAllParam FindNextFileW 76128->76130 76142 7fffe2019a43 _RunAllParam 76128->76142 76130->76142 76131 7fffe201980c _RunAllParam 76131->76128 76133 7fffe2019917 _RunAllParam 76131->76133 76157 7fffe2016180 76131->76157 76162 7fffe202ec70 76131->76162 76168 7fffe2010150 76133->76168 76135 7fffe2019960 _RunAllParam 76136 7fffe2019ad0 _RunAllParam FindNextFileW 76135->76136 76137 7fffe20199c4 _RunAllParam 76136->76137 76138 7fffe20199f2 76137->76138 76139 7fffe20199e0 LdrLoadDll 76137->76139 76138->76128 76140 7fffe2019a02 _RunAllParam 76138->76140 76139->76138 76140->76142 76171 7fffe202ec40 76140->76171 76142->76117 76144 7fffe2018a78 _RunAllParam 76143->76144 76145 7fffe2018b72 _RunAllParam 76144->76145 76146 7fffe2035760 _RunAllParam 2 API calls 76144->76146 76148 7fffe2018a8b _RunAllParam 76144->76148 76147 7fffe2019ad0 _RunAllParam 2 API calls 76145->76147 76145->76148 76146->76144 76147->76148 76148->76111 76150 7fffe203580c 76149->76150 76152 7fffe2035792 76149->76152 76150->76122 76151 7fffe2019ad0 _RunAllParam 2 API calls 76151->76152 76152->76150 76152->76151 76154 7fffe201923e _RunAllParam 76153->76154 76155 7fffe2019ad0 _RunAllParam 2 API calls 76154->76155 76156 7fffe2019270 _RunAllParam 76154->76156 76155->76156 76156->76131 76174 7fffe20155b0 76157->76174 76159 7fffe2035760 _RunAllParam 2 API calls 76161 7fffe20161ca 76159->76161 76160 7fffe201619a 76160->76159 76161->76131 76164 7fffe202ec80 76162->76164 76163 7fffe2019ad0 _RunAllParam LdrLoadDll 76163->76164 76164->76163 76165 7fffe202ece4 76164->76165 76166 7fffe202ec94 FindNextFileW 76164->76166 76180 7fffe201d730 76164->76180 76165->76131 76166->76164 76194 7fffe20100b0 76168->76194 76170 7fffe2010170 76170->76135 76172 7fffe2019ad0 _RunAllParam 2 API calls 76171->76172 76173 7fffe202ec58 76172->76173 76173->76142 76175 7fffe20155dc 76174->76175 76176 7fffe201566c _RunAllParam 76174->76176 76175->76176 76177 7fffe2019ad0 _RunAllParam 2 API calls 76175->76177 76176->76160 76178 7fffe2015619 _RunAllParam 76177->76178 76179 7fffe2019ad0 _RunAllParam 2 API calls 76178->76179 76179->76176 76183 7fffe201d771 76180->76183 76181 7fffe201dd82 76181->76164 76182 7fffe2035760 _RunAllParam 2 API calls 76182->76183 76183->76181 76183->76182 76187 7fffe201d928 _RunAllParam 76183->76187 76190 7fffe201d917 _RunAllParam 76183->76190 76184 7fffe2018a60 _RunAllParam 2 API calls 76184->76181 76185 7fffe20197d0 _RunAllParam 2 API calls 76188 7fffe201daba 76185->76188 76186 7fffe2035760 _RunAllParam 2 API calls 76186->76188 76189 7fffe2019ad0 _RunAllParam 2 API calls 76187->76189 76187->76190 76188->76181 76188->76186 76191 7fffe201dc05 _RunAllParam 76188->76191 76193 7fffe201dbf4 _RunAllParam 76188->76193 76189->76190 76190->76185 76190->76193 76191->76181 76192 7fffe2019ad0 _RunAllParam 2 API calls 76191->76192 76191->76193 76192->76193 76193->76181 76193->76184 76195 7fffe20100ce 76194->76195 76198 7fffe20100de 76194->76198 76200 7fffe2016d80 LdrLoadDll FindNextFileW _RunAllParam 76195->76200 76197 7fffe2010123 76197->76170 76198->76197 76201 7fffe2016df0 76198->76201 76200->76198 76202 7fffe2016e0d 76201->76202 76204 7fffe2016e26 76201->76204 76203 7fffe2019ad0 _RunAllParam 2 API calls 76202->76203 76202->76204 76203->76204 76204->76197 76205 7fffe2017200 76206 7fffe201725f 76205->76206 76207 7fffe2017215 76205->76207 76208 7fffe2017229 76207->76208 76210 7fffe2019ad0 _RunAllParam 2 API calls 76207->76210 76211 7fffe2017252 76208->76211 76212 7fffe2017190 76208->76212 76210->76208 76213 7fffe20171ee 76212->76213 76214 7fffe2017195 76212->76214 76213->76211 76214->76213 76215 7fffe2019ad0 _RunAllParam 2 API calls 76214->76215 76216 7fffe20171b5 76215->76216 76216->76213 76217 7fffe2019ad0 _RunAllParam 2 API calls 76216->76217 76218 7fffe20171db 76217->76218 76218->76213 76219 7fffe20171e0 RtlDeleteBoundaryDescriptor 76218->76219 76219->76213 76220 7fffe202ed10 76234 7fffe202ddc0 76220->76234 76223 7fffe2019ad0 _RunAllParam 2 API calls 76224 7fffe202ed4e 76223->76224 76225 7fffe202ed53 FindFirstFileExW 76224->76225 76228 7fffe202eda4 76224->76228 76226 7fffe202ed95 76225->76226 76227 7fffe202ed78 76225->76227 76230 7fffe201d730 _RunAllParam 2 API calls 76226->76230 76233 7fffe202edea 76226->76233 76227->76226 76231 7fffe2019ad0 _RunAllParam 2 API calls 76227->76231 76228->76226 76229 7fffe2019ad0 _RunAllParam 2 API calls 76228->76229 76229->76226 76232 7fffe202ee52 76230->76232 76231->76226 76235 7fffe202ddeb 76234->76235 76237 7fffe202eb83 76235->76237 76273 7fffe2016d10 76235->76273 76237->76223 76238 7fffe202de4c 76239 7fffe2035760 _RunAllParam 2 API calls 76238->76239 76242 7fffe202e47a 76238->76242 76250 7fffe202e027 _RunAllParam 76238->76250 76255 7fffe202e016 _RunAllParam 76238->76255 76239->76238 76240 7fffe20197d0 _RunAllParam 2 API calls 76253 7fffe202e1ab 76240->76253 76241 7fffe2018a60 _RunAllParam 2 API calls 76241->76242 76277 7fffe2019540 76242->76277 76244 7fffe202e4e0 76319 7fffe201ca50 76244->76319 76247 7fffe202e51f 76422 7fffe2029410 NtClose LdrLoadDll FindNextFileW _RunAllParam 76247->76422 76248 7fffe202e54c 76347 7fffe201a2c0 76248->76347 76254 7fffe2019ad0 _RunAllParam 2 API calls 76250->76254 76250->76255 76252 7fffe2035760 _RunAllParam 2 API calls 76252->76253 76253->76242 76253->76252 76259 7fffe202e2f7 _RunAllParam 76253->76259 76264 7fffe202e2e6 _RunAllParam 76253->76264 76254->76255 76255->76240 76255->76264 76256 7fffe202eb7c GetSystemInfo 76256->76237 76257 7fffe202e524 76257->76256 76258 7fffe2035760 _RunAllParam 2 API calls 76257->76258 76265 7fffe202e727 _RunAllParam 76257->76265 76269 7fffe202e716 _RunAllParam 76257->76269 76258->76257 76260 7fffe2019ad0 _RunAllParam 2 API calls 76259->76260 76259->76264 76260->76264 76261 7fffe2018a60 _RunAllParam 2 API calls 76263 7fffe202eb70 76261->76263 76262 7fffe20197d0 _RunAllParam 2 API calls 76267 7fffe202e8ab 76262->76267 76263->76237 76263->76256 76264->76241 76264->76242 76268 7fffe2019ad0 _RunAllParam 2 API calls 76265->76268 76265->76269 76266 7fffe2035760 _RunAllParam 2 API calls 76266->76267 76267->76237 76267->76266 76270 7fffe202e9f4 _RunAllParam 76267->76270 76272 7fffe202e9e3 _RunAllParam 76267->76272 76268->76269 76269->76262 76269->76272 76270->76237 76271 7fffe2019ad0 _RunAllParam 2 API calls 76270->76271 76270->76272 76271->76272 76272->76237 76272->76261 76274 7fffe2016d41 76273->76274 76275 7fffe2016d2d 76273->76275 76274->76238 76275->76274 76276 7fffe2019ad0 _RunAllParam 2 API calls 76275->76276 76276->76274 76278 7fffe202ddc0 14 API calls 76277->76278 76279 7fffe2019553 76278->76279 76280 7fffe2019558 76279->76280 76281 7fffe2010150 _RunAllParam 2 API calls 76279->76281 76280->76244 76283 7fffe20195a3 _RunAllParam 76281->76283 76284 7fffe20195de 76283->76284 76423 7fffe2010280 76283->76423 76426 7fffe20335d0 76284->76426 76286 7fffe20195f5 _RunAllParam 76430 7fffe2032750 76286->76430 76288 7fffe2019611 76433 7fffe2032a70 76288->76433 76290 7fffe201961d _RunAllParam 76291 7fffe2019664 76290->76291 76296 7fffe201962c _RunAllParam 76290->76296 76292 7fffe2032750 3 API calls 76291->76292 76293 7fffe201967f 76292->76293 76295 7fffe2032a70 4 API calls 76293->76295 76294 7fffe201964e 76294->76244 76297 7fffe201968b _RunAllParam 76295->76297 76296->76294 76440 7fffe1ffd410 76296->76440 76299 7fffe2032750 3 API calls 76297->76299 76300 7fffe20196a9 76299->76300 76301 7fffe2032a70 4 API calls 76300->76301 76302 7fffe20196b5 _RunAllParam 76301->76302 76303 7fffe20196c4 76302->76303 76304 7fffe20196f8 76302->76304 76308 7fffe20196cc _RunAllParam 76303->76308 76310 7fffe2019790 _RunAllParam 76303->76310 76305 7fffe201975c 76304->76305 76306 7fffe20196fd 76304->76306 76305->76310 76312 7fffe2019766 _RunAllParam 76305->76312 76307 7fffe201972d 76306->76307 76311 7fffe2019701 _RunAllParam 76306->76311 76307->76310 76313 7fffe2019732 _RunAllParam 76307->76313 76309 7fffe20196ee 76308->76309 76315 7fffe1ffd410 _RunAllParam 2 API calls 76308->76315 76309->76244 76310->76309 76314 7fffe1ffd410 _RunAllParam 2 API calls 76310->76314 76311->76309 76316 7fffe1ffd410 _RunAllParam 2 API calls 76311->76316 76312->76309 76317 7fffe1ffd410 _RunAllParam 2 API calls 76312->76317 76313->76309 76318 7fffe1ffd410 _RunAllParam 2 API calls 76313->76318 76314->76309 76315->76309 76316->76309 76317->76309 76318->76309 76322 7fffe201cab0 76319->76322 76320 7fffe2035760 _RunAllParam 2 API calls 76320->76322 76321 7fffe201d700 76321->76247 76321->76248 76322->76320 76327 7fffe201d099 76322->76327 76328 7fffe201cc37 _RunAllParam 76322->76328 76330 7fffe201ccc3 _RunAllParam 76322->76330 76323 7fffe201d6d6 GetTokenInformation 76323->76321 76324 7fffe20197d0 _RunAllParam 2 API calls 76334 7fffe201cdba 76324->76334 76325 7fffe2018a60 _RunAllParam 2 API calls 76325->76327 76326 7fffe2035760 _RunAllParam 2 API calls 76326->76327 76327->76321 76327->76323 76327->76326 76336 7fffe201d277 _RunAllParam 76327->76336 76338 7fffe201d303 _RunAllParam 76327->76338 76329 7fffe2019ad0 _RunAllParam 2 API calls 76328->76329 76328->76330 76329->76330 76330->76324 76343 7fffe201cef6 _RunAllParam 76330->76343 76331 7fffe2035760 _RunAllParam 2 API calls 76331->76334 76332 7fffe2018a60 _RunAllParam 2 API calls 76335 7fffe201d6d1 76332->76335 76333 7fffe20197d0 _RunAllParam 2 API calls 76340 7fffe201d403 76333->76340 76334->76321 76334->76331 76341 7fffe201cf07 _RunAllParam 76334->76341 76334->76343 76335->76321 76335->76323 76337 7fffe2019ad0 _RunAllParam 2 API calls 76336->76337 76336->76338 76337->76338 76338->76333 76346 7fffe201d544 _RunAllParam 76338->76346 76339 7fffe2035760 _RunAllParam 2 API calls 76339->76340 76340->76321 76340->76339 76344 7fffe201d555 _RunAllParam 76340->76344 76340->76346 76342 7fffe2019ad0 _RunAllParam 2 API calls 76341->76342 76341->76343 76342->76343 76343->76321 76343->76325 76344->76321 76345 7fffe2019ad0 _RunAllParam 2 API calls 76344->76345 76344->76346 76345->76346 76346->76321 76346->76332 76349 7fffe201a31e 76347->76349 76348 7fffe201a8fa 76509 7fffe20175b0 76348->76509 76349->76348 76350 7fffe2035760 _RunAllParam 2 API calls 76349->76350 76357 7fffe201a4a7 _RunAllParam 76349->76357 76365 7fffe201a533 _RunAllParam 76349->76365 76350->76349 76352 7fffe201c326 _RunAllParam 76355 7fffe2017770 _RunAllParam 3 API calls 76352->76355 76406 7fffe201c321 76352->76406 76353 7fffe20197d0 _RunAllParam 2 API calls 76368 7fffe201a62b 76353->76368 76354 7fffe2018a60 _RunAllParam 2 API calls 76354->76348 76355->76406 76356 7fffe201aaeb 76361 7fffe201af7f GetTokenInformation 76356->76361 76362 7fffe201af9c 76356->76362 76359 7fffe2019ad0 _RunAllParam 2 API calls 76357->76359 76357->76365 76358 7fffe2035760 _RunAllParam 2 API calls 76360 7fffe201a92b 76358->76360 76359->76365 76360->76352 76360->76356 76360->76358 76370 7fffe201ab0d _RunAllParam 76360->76370 76378 7fffe201aaf6 _RunAllParam 76360->76378 76361->76362 76362->76352 76367 7fffe2010150 _RunAllParam 2 API calls 76362->76367 76363 7fffe20197d0 _RunAllParam 2 API calls 76371 7fffe201aca3 76363->76371 76364 7fffe2018a60 _RunAllParam 2 API calls 76364->76356 76365->76353 76379 7fffe201a766 _RunAllParam 76365->76379 76366 7fffe2035760 _RunAllParam 2 API calls 76366->76368 76377 7fffe201afb9 _RunAllParam 76367->76377 76368->76348 76368->76366 76374 7fffe201a777 _RunAllParam 76368->76374 76368->76379 76369 7fffe2035760 _RunAllParam 2 API calls 76369->76371 76372 7fffe2019ad0 _RunAllParam 2 API calls 76370->76372 76370->76378 76371->76362 76371->76369 76383 7fffe201adf7 _RunAllParam 76371->76383 76389 7fffe201ade6 _RunAllParam 76371->76389 76372->76378 76373 7fffe201b608 GetTokenInformation 76373->76352 76385 7fffe201b632 76373->76385 76376 7fffe2019ad0 _RunAllParam 2 API calls 76374->76376 76374->76379 76375 7fffe2035760 _RunAllParam 2 API calls 76375->76377 76376->76379 76377->76373 76377->76375 76387 7fffe201b197 _RunAllParam 76377->76387 76393 7fffe201b223 _RunAllParam 76377->76393 76378->76363 76378->76389 76379->76348 76379->76354 76380 7fffe2018a60 _RunAllParam 2 API calls 76384 7fffe201b5ee 76380->76384 76381 7fffe20197d0 _RunAllParam 2 API calls 76399 7fffe201b31b 76381->76399 76382 7fffe2035760 _RunAllParam 2 API calls 76382->76385 76386 7fffe2019ad0 _RunAllParam 2 API calls 76383->76386 76383->76389 76384->76352 76384->76373 76385->76382 76392 7fffe201b873 _RunAllParam 76385->76392 76397 7fffe201bc3e 76385->76397 76400 7fffe201b7e7 _RunAllParam 76385->76400 76386->76389 76388 7fffe2019ad0 _RunAllParam 2 API calls 76387->76388 76387->76393 76388->76393 76389->76362 76389->76364 76390 7fffe2018a60 _RunAllParam 2 API calls 76390->76397 76391 7fffe20197d0 _RunAllParam 2 API calls 76394 7fffe201b96b 76391->76394 76392->76391 76420 7fffe201baa6 _RunAllParam 76392->76420 76393->76381 76414 7fffe201b456 _RunAllParam 76393->76414 76394->76352 76404 7fffe2035760 _RunAllParam 2 API calls 76394->76404 76416 7fffe201bab7 _RunAllParam 76394->76416 76394->76420 76395 7fffe201c27a 76395->76352 76407 7fffe201c29e _RunAllParam 76395->76407 76396 7fffe2035760 _RunAllParam 2 API calls 76396->76399 76397->76352 76397->76395 76398 7fffe2035760 _RunAllParam 2 API calls 76397->76398 76412 7fffe201be25 _RunAllParam 76397->76412 76415 7fffe201be14 _RunAllParam 76397->76415 76398->76397 76399->76352 76399->76396 76405 7fffe201b467 _RunAllParam 76399->76405 76399->76414 76400->76392 76401 7fffe2019ad0 _RunAllParam 2 API calls 76400->76401 76401->76392 76402 7fffe2018a60 _RunAllParam 2 API calls 76402->76395 76403 7fffe20197d0 _RunAllParam 2 API calls 76408 7fffe201bfab 76403->76408 76404->76394 76410 7fffe2019ad0 _RunAllParam 2 API calls 76405->76410 76405->76414 76406->76257 76407->76406 76517 7fffe2017770 76407->76517 76408->76352 76409 7fffe2035760 _RunAllParam 2 API calls 76408->76409 76418 7fffe201c0f7 _RunAllParam 76408->76418 76421 7fffe201c0e6 _RunAllParam 76408->76421 76409->76408 76410->76414 76413 7fffe2019ad0 _RunAllParam 2 API calls 76412->76413 76412->76415 76413->76415 76414->76352 76414->76380 76415->76403 76415->76421 76417 7fffe2019ad0 _RunAllParam 2 API calls 76416->76417 76416->76420 76417->76420 76418->76352 76419 7fffe2019ad0 _RunAllParam 2 API calls 76418->76419 76418->76421 76419->76421 76420->76352 76420->76390 76421->76352 76421->76402 76422->76257 76424 7fffe20100b0 _RunAllParam 2 API calls 76423->76424 76425 7fffe2010294 76424->76425 76425->76283 76427 7fffe2033607 _RunAllParam 76426->76427 76443 7fffe2032e60 76427->76443 76429 7fffe2033618 76429->76286 76481 7fffe20326a0 76430->76481 76432 7fffe203277a _RunAllParam 76432->76288 76434 7fffe2010150 _RunAllParam 2 API calls 76433->76434 76435 7fffe2032a94 76434->76435 76494 7fffe2032810 76435->76494 76437 7fffe2032aa4 76438 7fffe2032abb _RunAllParam 76437->76438 76508 7fffe2010330 LdrLoadDll FindNextFileW _RunAllParam 76437->76508 76438->76290 76441 7fffe2019ad0 _RunAllParam 2 API calls 76440->76441 76442 7fffe1ffd428 76441->76442 76442->76294 76444 7fffe2032e8b _RunAllParam 76443->76444 76445 7fffe2019ad0 _RunAllParam 2 API calls 76444->76445 76448 7fffe2032ed7 76445->76448 76446 7fffe203312e 76447 7fffe201d730 _RunAllParam 2 API calls 76446->76447 76449 7fffe2033136 _RunAllParam 76447->76449 76448->76446 76464 7fffe2032f00 _RunAllParam 76448->76464 76450 7fffe2019ad0 _RunAllParam 2 API calls 76449->76450 76460 7fffe2033166 _RunAllParam 76449->76460 76462 7fffe2033124 76450->76462 76451 7fffe20332b9 76451->76429 76452 7fffe20330b0 76455 7fffe20330e1 _RunAllParam 76452->76455 76456 7fffe2019ad0 _RunAllParam 2 API calls 76452->76456 76453 7fffe2019ad0 LdrLoadDll FindNextFileW _RunAllParam 76453->76464 76454 7fffe2033164 RegCloseKey 76454->76460 76458 7fffe2019ad0 _RunAllParam 2 API calls 76455->76458 76455->76460 76456->76455 76457 7fffe2032f56 RegCloseKey 76457->76464 76458->76462 76459 7fffe2032fa4 RegEnumKeyW 76459->76452 76459->76464 76460->76451 76461 7fffe202ddc0 10 API calls 76460->76461 76463 7fffe20331ff 76461->76463 76462->76454 76462->76460 76463->76451 76475 7fffe2010180 76463->76475 76464->76452 76464->76453 76464->76457 76464->76459 76465 7fffe2016180 _RunAllParam 2 API calls 76464->76465 76470 7fffe2033013 RegOpenKeyExW 76464->76470 76465->76464 76467 7fffe2033216 76468 7fffe2010280 2 API calls 76467->76468 76471 7fffe203322f _RunAllParam 76468->76471 76469 7fffe2033268 _RunAllParam 76472 7fffe2032e60 10 API calls 76469->76472 76470->76464 76471->76469 76480 7fffe2016d80 LdrLoadDll FindNextFileW _RunAllParam 76471->76480 76473 7fffe203329f _RunAllParam 76472->76473 76473->76429 76476 7fffe20100b0 _RunAllParam 2 API calls 76475->76476 76477 7fffe20101a3 76476->76477 76478 7fffe2016df0 _RunAllParam 2 API calls 76477->76478 76479 7fffe20101b7 76478->76479 76479->76467 76480->76469 76486 7fffe20326d0 76481->76486 76482 7fffe2019ad0 _RunAllParam 2 API calls 76482->76486 76483 7fffe20326ef RegEnumValueA 76484 7fffe2032730 76483->76484 76483->76486 76484->76432 76486->76482 76486->76483 76487 7fffe2014310 76486->76487 76488 7fffe201434b 76487->76488 76491 7fffe2014385 76487->76491 76490 7fffe2016df0 _RunAllParam 2 API calls 76488->76490 76490->76491 76492 7fffe20143b9 _RunAllParam 76491->76492 76493 7fffe2016d80 LdrLoadDll FindNextFileW _RunAllParam 76491->76493 76492->76486 76493->76492 76495 7fffe203283a 76494->76495 76496 7fffe203282a 76494->76496 76495->76437 76496->76495 76497 7fffe2019ad0 _RunAllParam 2 API calls 76496->76497 76498 7fffe2032862 76497->76498 76499 7fffe2032887 76498->76499 76500 7fffe2032867 RegQueryValueExA 76498->76500 76501 7fffe203288f 76499->76501 76502 7fffe2010280 2 API calls 76499->76502 76500->76499 76501->76437 76503 7fffe20328a6 76502->76503 76504 7fffe2019ad0 _RunAllParam 2 API calls 76503->76504 76505 7fffe20328b5 _RunAllParam 76504->76505 76506 7fffe20328ea 76505->76506 76507 7fffe20328cb RegQueryValueExA 76505->76507 76506->76437 76507->76506 76508->76438 76510 7fffe20175c1 76509->76510 76511 7fffe201762c 76509->76511 76510->76511 76512 7fffe2019ad0 _RunAllParam 2 API calls 76510->76512 76511->76360 76513 7fffe20175db 76512->76513 76514 7fffe20175f0 76513->76514 76515 7fffe201d730 _RunAllParam 2 API calls 76513->76515 76514->76360 76516 7fffe2017607 76515->76516 76516->76360 76518 7fffe20175b0 _RunAllParam 2 API calls 76517->76518 76519 7fffe201777e 76518->76519 76520 7fffe2019ad0 _RunAllParam 2 API calls 76519->76520 76523 7fffe201779b 76519->76523 76521 7fffe2017791 76520->76521 76522 7fffe2017796 NtClose 76521->76522 76521->76523 76522->76523 76523->76406 76524 21a154b2978 76525 21a154b2986 76524->76525 76530 21a154b2060 VirtualAlloc 76525->76530 76527 21a154b29a2 76532 21a154b2264 76527->76532 76529 21a154b29ba 76531 21a154b20c4 76530->76531 76531->76527 76533 21a154b238c VirtualProtect 76532->76533 76534 21a154b230f 76532->76534 76535 21a154b23ee 76533->76535 76534->76533 76536 21a154b244d VirtualProtect 76535->76536 76539 21a154b2544 76536->76539 76541 21a154b2507 VirtualProtect 76536->76541 76538 21a154b25c5 76538->76529 76539->76538 76540 21a154b258c RtlAvlRemoveNode 76539->76540 76540->76538 76541->76539

                        Executed Functions

                        Function 00007FFFE201A2C0 Relevance: 5.0, APIs: 2, Instructions: 2011COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 9226028f1a918c7e9f83b8c876f6d96c35b020c1dc2df61bd5e60e02d4e37c5f
                        • Instruction ID: a6f5d9586b11c1a02ed0c5f6b5e563a9838334808b6401660825ffd61b706f2e
                        • Opcode Fuzzy Hash: 9226028f1a918c7e9f83b8c876f6d96c35b020c1dc2df61bd5e60e02d4e37c5f
                        • Instruction Fuzzy Hash: 7F039E66E0878686EB659B1194403BA67E1FB45B88F884037CB0E877D5FFBCE945C342
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE20059F0 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 193COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 966 7fffe20059f0-7fffe2005a1a 967 7fffe2005a1c-7fffe2005a4c call 7fffe2011660 call 7fffe2031570 call 7fffe2017770 call 7fffe20323c0 966->967 968 7fffe2005a51-7fffe2005a7a call 7fffe2017db0 call 7fffe202bbb0 966->968 967->968 978 7fffe2005a7c-7fffe2005a9a call 7fffe2011310 call 7fffe1fed1e0 968->978 979 7fffe2005aba 968->979 991 7fffe2005a9f-7fffe2005ab2 call 7fffe2010cb0 978->991 981 7fffe2005abc-7fffe2005abf 979->981 984 7fffe2005aca-7fffe2005afa call 7fffe2031850 call 7fffe20175b0 981->984 985 7fffe2005ac1-7fffe2005ac5 call 7fffe2010e20 981->985 997 7fffe2005afc-7fffe2005b0f call 7fffe2031ac0 984->997 998 7fffe2005b12-7fffe2005b46 call 7fffe2031c30 call 7fffe2017db0 call 7fffe20320e0 call 7fffe2010e20 984->998 985->984 991->979 996 7fffe2005ab4-7fffe2005ab8 991->996 996->981 997->998 1009 7fffe2005b59-7fffe2005b79 call 7fffe2011a90 call 7fffe2019ad0 998->1009 1010 7fffe2005b48-7fffe2005b53 call 7fffe20175b0 998->1010 1022 7fffe2005b7b-7fffe2005b8a 1009->1022 1023 7fffe2005b8f-7fffe2005bae call 7fffe2002170 call 7fffe1ff7eb0 1009->1023 1010->1009 1015 7fffe2005be0-7fffe2005be3 1010->1015 1018 7fffe2005c7b-7fffe2005c8d call 7fffe2019ad0 1015->1018 1019 7fffe2005be9-7fffe2005c04 call 7fffe2031850 call 7fffe20175b0 1015->1019 1029 7fffe2005c93-7fffe2005cca call 7fffe20323c0 call 7fffe2013fd0 call 7fffe2010e20 1018->1029 1030 7fffe2005c8f-7fffe2005c91 ExitProcess 1018->1030 1035 7fffe2005c06 1019->1035 1036 7fffe2005c72-7fffe2005c76 call 7fffe2031c30 1019->1036 1022->1023 1040 7fffe2005bce-7fffe2005bd2 call 7fffe200fca0 1023->1040 1041 7fffe2005bb0-7fffe2005bcc call 7fffe201f150 call 7fffe1ff7eb0 1023->1041 1039 7fffe2005c10-7fffe2005c1d call 7fffe2031ac0 1035->1039 1036->1018 1052 7fffe2005c3b-7fffe2005c6d call 7fffe2017db0 call 7fffe20320e0 call 7fffe20317b0 call 7fffe20323c0 call 7fffe2010e20 1039->1052 1053 7fffe2005c1f-7fffe2005c37 call 7fffe2031a70 call 7fffe201f150 1039->1053 1050 7fffe2005bd7-7fffe2005bdb call 7fffe2010e20 1040->1050 1041->1040 1050->1015 1052->1036 1053->1039 1066 7fffe2005c39 1053->1066 1066->1036
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseExitProcess
                        • String ID: -R+
                        • API String ID: 3487036407-215093852
                        • Opcode ID: 5b2f5e8f40fa367120f8032369e2e3e29929b38a43fd1f77c59d935f442a50a4
                        • Instruction ID: 7e6a19bba6ff213cb6be451da4f63c969578fb802e3487f6824c438f711ce1f7
                        • Opcode Fuzzy Hash: 5b2f5e8f40fa367120f8032369e2e3e29929b38a43fd1f77c59d935f442a50a4
                        • Instruction Fuzzy Hash: EA817F22F1864295FB10E7A1C4517FD23E6AF85388F854432DF0D97BDAEEA8E905C352
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE202ED10 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 108COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1071 7fffe202ed10-7fffe202ed37 call 7fffe202ddc0 1074 7fffe202ed3f-7fffe202ed51 call 7fffe2019ad0 1071->1074 1075 7fffe202ed39-7fffe202ed3c 1071->1075 1078 7fffe202ed53-7fffe202ed76 FindFirstFileExW 1074->1078 1079 7fffe202eda4-7fffe202eda8 1074->1079 1075->1074 1082 7fffe202ed9f-7fffe202eda2 1078->1082 1083 7fffe202ed78-7fffe202ed7e 1078->1083 1080 7fffe202edd1 1079->1080 1081 7fffe202edaa-7fffe202edb0 1079->1081 1084 7fffe202edd8-7fffe202ede2 1080->1084 1081->1080 1085 7fffe202edb2-7fffe202edb6 1081->1085 1082->1084 1083->1082 1086 7fffe202ed80-7fffe202ed84 1083->1086 1088 7fffe202ede4-7fffe202ede8 1084->1088 1089 7fffe202ee4d-7fffe202ee58 call 7fffe201d730 1084->1089 1085->1080 1087 7fffe202edb8-7fffe202edca call 7fffe2019ad0 1085->1087 1086->1082 1090 7fffe202ed86-7fffe202ed98 call 7fffe2019ad0 1086->1090 1087->1080 1102 7fffe202edcc 1087->1102 1088->1089 1093 7fffe202edea-7fffe202edef 1088->1093 1103 7fffe202ee61-7fffe202ee72 1089->1103 1104 7fffe202ee5a 1089->1104 1090->1082 1107 7fffe202ed9a 1090->1107 1097 7fffe202edf1-7fffe202edf8 1093->1097 1098 7fffe202ee1e-7fffe202ee2c 1093->1098 1105 7fffe202edfa-7fffe202edfe 1097->1105 1106 7fffe202ee07-7fffe202ee18 1097->1106 1100 7fffe202ee32-7fffe202ee35 1098->1100 1101 7fffe202ee2e-7fffe202ee30 1098->1101 1100->1106 1109 7fffe202ee37-7fffe202ee39 1100->1109 1101->1100 1108 7fffe202ee3b-7fffe202ee4c 1101->1108 1102->1080 1104->1103 1105->1098 1110 7fffe202ee00-7fffe202ee05 1105->1110 1106->1098 1107->1082 1109->1106 1109->1108 1110->1098 1110->1106
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID: FileFindFirst
                        • String ID: .
                        • API String ID: 1974802433-248832578
                        • Opcode ID: e7c5b43e647463aeb21b948d6adb688fa2066d02937d6a4a2cec4493fdb9ae69
                        • Instruction ID: 057e37cb4d27859ef2e8e22e83fca2d7a22bfc29363e0d9176a8a625dbbfe891
                        • Opcode Fuzzy Hash: e7c5b43e647463aeb21b948d6adb688fa2066d02937d6a4a2cec4493fdb9ae69
                        • Instruction Fuzzy Hash: 8841B323E4864141EF645B15D1003792BE1EB84BA8F184636CB6C877DAEFBCF882C742
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE1FF7880 Relevance: 2.9, Strings: 2, Instructions: 383COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1242 7fffe1ff7880-7fffe1ff78c5 1243 7fffe1ff78c7-7fffe1ff78ca 1242->1243 1244 7fffe1ff78cf-7fffe1ff790c call 7fffe203d8a0 call 7fffe2024bc0 call 7fffe203d3a0 1242->1244 1246 7fffe1ff79b2-7fffe1ff79b5 1243->1246 1264 7fffe1ff7913-7fffe1ff791d 1244->1264 1248 7fffe1ff79bb-7fffe1ff79f4 call 7fffe2017de0 call 7fffe2031850 call 7fffe2010e20 call 7fffe2031ac0 1246->1248 1249 7fffe1ff7be8-7fffe1ff7bfa call 7fffe2033bb0 1246->1249 1276 7fffe1ff79fa-7fffe1ff7a05 call 7fffe20175b0 1248->1276 1277 7fffe1ff7a83-7fffe1ff7a91 call 7fffe2031c30 call 7fffe2033bb0 1248->1277 1258 7fffe1ff7c0c-7fffe1ff7c1d 1249->1258 1259 7fffe1ff7bfc-7fffe1ff7c07 call 7fffe2031c30 call 7fffe20172a0 1249->1259 1259->1258 1267 7fffe1ff795e-7fffe1ff7969 1264->1267 1268 7fffe1ff791f 1264->1268 1267->1264 1271 7fffe1ff796b-7fffe1ff796f call 7fffe2033bb0 1267->1271 1272 7fffe1ff7920-7fffe1ff7939 call 7fffe2033af0 call 7fffe203d4d0 1268->1272 1278 7fffe1ff7974-7fffe1ff798b 1271->1278 1293 7fffe1ff793b-7fffe1ff793f 1272->1293 1294 7fffe1ff7943-7fffe1ff795a call 7fffe2033c50 1272->1294 1290 7fffe1ff7a07-7fffe1ff7a0f call 7fffe203cf10 1276->1290 1291 7fffe1ff7a14-7fffe1ff7a1f call 7fffe20175b0 1276->1291 1296 7fffe1ff7a96-7fffe1ff7a9e 1277->1296 1282 7fffe1ff799d-7fffe1ff79ab 1278->1282 1283 7fffe1ff798d-7fffe1ff7998 call 7fffe2031c30 call 7fffe20172a0 1278->1283 1282->1246 1283->1282 1290->1291 1307 7fffe1ff7a25-7fffe1ff7a65 call 7fffe1fdd690 call 7fffe2017db0 call 7fffe20320e0 call 7fffe2010e20 call 7fffe20175b0 1291->1307 1308 7fffe1ff7bdf-7fffe1ff7be3 call 7fffe2031c30 1291->1308 1293->1272 1300 7fffe1ff7941 1293->1300 1294->1271 1305 7fffe1ff795c 1294->1305 1302 7fffe1ff7ab0-7fffe1ff7ac1 1296->1302 1303 7fffe1ff7aa0-7fffe1ff7aab call 7fffe2031c30 call 7fffe20172a0 1296->1303 1300->1305 1303->1302 1305->1267 1322 7fffe1ff7a67-7fffe1ff7a7e call 7fffe20317b0 call 7fffe20323c0 call 7fffe1fe36f0 1307->1322 1323 7fffe1ff7ac2-7fffe1ff7adb call 7fffe2010180 call 7fffe200fcd0 1307->1323 1308->1249 1322->1277 1333 7fffe1ff7add-7fffe1ff7ae5 1323->1333 1334 7fffe1ff7b44-7fffe1ff7b8e call 7fffe2010150 * 3 call 7fffe20320e0 call 7fffe1ff5f40 1323->1334 1333->1334 1336 7fffe1ff7ae7-7fffe1ff7af2 call 7fffe203d340 1333->1336 1361 7fffe1ff7c1e-7fffe1ff7c2b call 7fffe203d340 1334->1361 1362 7fffe1ff7b94-7fffe1ff7bc2 call 7fffe1ff5e90 call 7fffe20323c0 call 7fffe200fca0 * 3 1334->1362 1341 7fffe1ff7b25-7fffe1ff7b3f call 7fffe20102b0 1336->1341 1342 7fffe1ff7af4-7fffe1ff7b0c call 7fffe200fcd0 1336->1342 1341->1334 1350 7fffe1ff7bc7-7fffe1ff7bda call 7fffe200fca0 call 7fffe20323c0 call 7fffe1fe36f0 1342->1350 1351 7fffe1ff7b12-7fffe1ff7b23 call 7fffe2010230 1342->1351 1350->1308 1351->1334 1368 7fffe1ff7d15-7fffe1ff7ded call 7fffe2016d10 call 7fffe200fcc0 call 7fffe20190b0 call 7fffe2010bc0 call 7fffe2010e20 call 7fffe20106d0 call 7fffe2010280 call 7fffe200fcb0 * 2 call 7fffe2007fac call 7fffe1ff5bb0 call 7fffe20102b0 call 7fffe200bae0 1361->1368 1369 7fffe1ff7c31-7fffe1ff7d10 call 7fffe2016d10 call 7fffe200fcc0 call 7fffe20190b0 call 7fffe2010bc0 call 7fffe2010e20 call 7fffe20106d0 call 7fffe2010280 call 7fffe200fcb0 * 2 call 7fffe2007fac call 7fffe1ff6300 call 7fffe20102b0 call 7fffe2009990 1361->1369 1362->1350 1428 7fffe1ff7df2-7fffe1ff7df7 1368->1428 1369->1428 1430 7fffe1ff7e1b-7fffe1ff7e81 call 7fffe1ff5e90 call 7fffe20323c0 call 7fffe200fca0 * 4 call 7fffe20323c0 call 7fffe1fe36f0 call 7fffe2031c30 call 7fffe2033bb0 1428->1430 1431 7fffe1ff7df9-7fffe1ff7e18 call 7fffe20315d0 1428->1431 1454 7fffe1ff7e93-7fffe1ff7ea5 1430->1454 1455 7fffe1ff7e83-7fffe1ff7e8e call 7fffe2031c30 call 7fffe20172a0 1430->1455 1431->1430 1455->1454
                        Strings
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: )8GV$)8GV
                        • API String ID: 0-993736920
                        • Opcode ID: 804c529f3147a5f380dbcc76850214d80c5f14b72e1de46f1220a5da4bdeeadd
                        • Instruction ID: 56657457d4518f03b09c0ea06b72ec905b9b3765a2fa5dc6c41f0ce6f4b16c20
                        • Opcode Fuzzy Hash: 804c529f3147a5f380dbcc76850214d80c5f14b72e1de46f1220a5da4bdeeadd
                        • Instruction Fuzzy Hash: 24F17022E1858295EB10EB61D8917FD63A1EF94384F800432EB4E87ADAEFBCD545C752
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE202DDC0 Relevance: 2.4, APIs: 1, Instructions: 886COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID: InfoSystem
                        • String ID:
                        • API String ID: 31276548-0
                        • Opcode ID: b51406e0cbd007a77da5e52b673c51c1d3a00921d7b379c8f8b3d8d663c176b9
                        • Instruction ID: 695d5c1918542525b5114ccf657c4e4ac67be42a6fffa5a4faf58e0f75cc962b
                        • Opcode Fuzzy Hash: b51406e0cbd007a77da5e52b673c51c1d3a00921d7b379c8f8b3d8d663c176b9
                        • Instruction Fuzzy Hash: CF82AC62E4878686EB658B1194403B97BE1FB85B84F484436CB4E87BD6FFBCE541C342
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE201CA50 Relevance: 2.3, APIs: 1, Instructions: 789COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: b30304b35cc8b6e8ea6aef7470cb68ac2061bc0eef20e91569310b4157572585
                        • Instruction ID: 7c321c5f017500db3a62fef2ac078a805cb138f869d73625e95ebe68d67837d3
                        • Opcode Fuzzy Hash: b30304b35cc8b6e8ea6aef7470cb68ac2061bc0eef20e91569310b4157572585
                        • Instruction Fuzzy Hash: 7C72AD62E0879686EB658B1198443B967E1FB45B88F884036CB4D877D5FFBCE941C342
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE203D520 Relevance: 1.7, APIs: 1, Instructions: 237nativeCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 2025 7fffe203d520-7fffe203d577 call 7fffe2033e50 call 7fffe2033bb0 call 7fffe2010150 2032 7fffe203d580-7fffe203d599 call 7fffe2019ad0 2025->2032 2035 7fffe203d5f5-7fffe203d621 call 7fffe202ddc0 call 7fffe200fcb0 2032->2035 2036 7fffe203d59b-7fffe203d5c7 call 7fffe200fcc0 call 7fffe200fcb0 NtQuerySystemInformation 2032->2036 2045 7fffe203d7d7-7fffe203d7da 2035->2045 2046 7fffe203d627 2035->2046 2047 7fffe203d5d0-7fffe203d5d9 2036->2047 2048 7fffe203d5c9-7fffe203d5ce 2036->2048 2050 7fffe203d83f-7fffe203d882 call 7fffe200fca0 call 7fffe2033bb0 2045->2050 2051 7fffe203d7dc-7fffe203d7e4 2045->2051 2049 7fffe203d630-7fffe203d637 2046->2049 2052 7fffe203d5e2-7fffe203d5f3 call 7fffe200fcc0 call 7fffe2010280 2047->2052 2053 7fffe203d5db call 7fffe2010280 2047->2053 2048->2035 2048->2047 2055 7fffe203d7c8-7fffe203d7cc 2049->2055 2056 7fffe203d63d-7fffe203d641 2049->2056 2074 7fffe203d894-7fffe203d89d 2050->2074 2075 7fffe203d884-7fffe203d88f call 7fffe2031c30 call 7fffe20172a0 2050->2075 2051->2050 2057 7fffe203d7e6 2051->2057 2052->2032 2064 7fffe203d5e0 2053->2064 2055->2045 2060 7fffe203d7ce-7fffe203d7d1 2055->2060 2056->2055 2062 7fffe203d647-7fffe203d670 call 7fffe2017360 2056->2062 2063 7fffe203d7f0-7fffe203d803 call 7fffe2033af0 2057->2063 2060->2045 2060->2049 2076 7fffe203d672-7fffe203d684 call 7fffe2033af0 2062->2076 2077 7fffe203d695-7fffe203d69b 2062->2077 2078 7fffe203d805-7fffe203d80e 2063->2078 2079 7fffe203d837-7fffe203d83d 2063->2079 2064->2032 2075->2074 2093 7fffe203d72a-7fffe203d72d 2076->2093 2094 7fffe203d68a-7fffe203d68f 2076->2094 2080 7fffe203d6a9-7fffe203d6bc call 7fffe20172c0 2077->2080 2081 7fffe203d69d-7fffe203d6a3 2077->2081 2078->2079 2084 7fffe203d810-7fffe203d820 call 7fffe2033af0 2078->2084 2079->2050 2079->2063 2098 7fffe203d6c2-7fffe203d728 call 7fffe2011a90 call 7fffe2011660 call 7fffe2010150 2080->2098 2099 7fffe203d766 2080->2099 2081->2080 2085 7fffe203d7c5 2081->2085 2096 7fffe203d822-7fffe203d826 2084->2096 2097 7fffe203d82a-7fffe203d831 2084->2097 2085->2055 2100 7fffe203d72f-7fffe203d733 2093->2100 2101 7fffe203d747-7fffe203d74a 2093->2101 2094->2076 2095 7fffe203d691 2094->2095 2095->2077 2096->2084 2102 7fffe203d828 2096->2102 2097->2079 2104 7fffe203d833 2097->2104 2106 7fffe203d769-7fffe203d7c3 call 7fffe2015840 call 7fffe2012000 call 7fffe2010e20 call 7fffe2012340 call 7fffe20114d0 call 7fffe2010e20 2098->2106 2099->2106 2107 7fffe203d735-7fffe203d738 call 7fffe203d1e0 2100->2107 2108 7fffe203d73d-7fffe203d741 2100->2108 2103 7fffe203d74e-7fffe203d764 call 7fffe2033c50 2101->2103 2102->2079 2103->2055 2104->2079 2106->2103 2107->2108 2108->2095 2108->2101
                        APIs
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID: InformationQuerySystem
                        • String ID:
                        • API String ID: 3562636166-0
                        • Opcode ID: f4c61d334f8c0668e9272da2b3588f2f1e50bb689e5d7d777cf062c06cff3a66
                        • Instruction ID: 7172708dd23f2542936ffc6df47a71ed2c36ed744a9f2b627968a1170b04a9e5
                        • Opcode Fuzzy Hash: f4c61d334f8c0668e9272da2b3588f2f1e50bb689e5d7d777cf062c06cff3a66
                        • Instruction Fuzzy Hash: 18B15936E04A429AE710EB25DA803AE23E5FB44B88F444435DB4E87BD5FFB8E524C701
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE20197D0 Relevance: 1.7, APIs: 1, Instructions: 185libraryloaderCOMMONLIBRARYCODE
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 2129 7fffe20197d0-7fffe20198ad call 7fffe2011a90 * 2 call 7fffe2019230 call 7fffe2012fa0 call 7fffe2010e20 call 7fffe2011ab0 call 7fffe2011b60 * 5 call 7fffe2012f50 call 7fffe202ee80 2156 7fffe20198b3-7fffe20198b9 2129->2156 2157 7fffe2019a7d-7fffe2019a8a call 7fffe2010e20 2129->2157 2158 7fffe20198c0-7fffe20198f9 call 7fffe2012f50 call 7fffe20132a0 call 7fffe2016180 call 7fffe2010e20 2156->2158 2162 7fffe2019aa0-7fffe2019ab8 call 7fffe2010e20 * 2 2157->2162 2163 7fffe2019a8c-7fffe2019a93 2157->2163 2179 7fffe2019917-7fffe20199d2 call 7fffe2012f70 call 7fffe2011ab0 call 7fffe20111a0 call 7fffe2010150 call 7fffe200fcb0 * 2 call 7fffe20111a0 call 7fffe20111d0 call 7fffe2019ad0 2158->2179 2180 7fffe20198fb-7fffe2019909 call 7fffe2010e20 call 7fffe202ec70 2158->2180 2177 7fffe2019aba-7fffe2019acd 2162->2177 2163->2162 2166 7fffe2019a95-7fffe2019a99 2163->2166 2166->2162 2169 7fffe2019a9b call 7fffe202ec40 2166->2169 2169->2162 2204 7fffe20199f2 2179->2204 2205 7fffe20199d4-7fffe20199f0 call 7fffe200fcb0 LdrLoadDll 2179->2205 2188 7fffe201990e-7fffe2019910 2180->2188 2188->2158 2190 7fffe2019912 2188->2190 2190->2157 2207 7fffe20199f5-7fffe20199fc 2204->2207 2205->2207 2209 7fffe2019a5f-7fffe2019a78 call 7fffe200fca0 call 7fffe2010e20 * 2 2207->2209 2210 7fffe20199fe-7fffe2019a00 2207->2210 2209->2157 2210->2209 2211 7fffe2019a02-7fffe2019a2d call 7fffe200fca0 call 7fffe2010e20 * 3 2210->2211 2225 7fffe2019a2f-7fffe2019a36 2211->2225 2226 7fffe2019a43-7fffe2019a5d call 7fffe2010e20 * 2 2211->2226 2225->2226 2228 7fffe2019a38-7fffe2019a3c 2225->2228 2226->2177 2228->2226 2229 7fffe2019a3e call 7fffe202ec40 2228->2229 2229->2226
                        APIs
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID: FileFindLoadNext
                        • String ID:
                        • API String ID: 50669962-0
                        • Opcode ID: 5862aa32ed70c73689100f7b32534a56fb24c37bef8f83fe85457d18e720210c
                        • Instruction ID: e64293da52253046d4afb0583dc6052ca5d9d0de0d50bd6981749b79f303dc04
                        • Opcode Fuzzy Hash: 5862aa32ed70c73689100f7b32534a56fb24c37bef8f83fe85457d18e720210c
                        • Instruction Fuzzy Hash: AD817C22E1854641EA14EB61D0513BEA7E6FF85354F844132EB8D87BCAEEBCE605C742
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE2019400 Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID: NameUser
                        • String ID:
                        • API String ID: 2645101109-0
                        • Opcode ID: b712256428b0df9bed200587965cf3e4e127cf650125a6a5880c015abd4b8702
                        • Instruction ID: 2dfc0d610c5c01d247e8a2e328c77e6dfed338f748189ef38f980eaf9dcc7010
                        • Opcode Fuzzy Hash: b712256428b0df9bed200587965cf3e4e127cf650125a6a5880c015abd4b8702
                        • Instruction Fuzzy Hash: 7C0125A1E1854642EE10EB55E8513BA9391FFC4784F845032EB8E877CBEFACD505C752
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE2017770 Relevance: 1.5, APIs: 1, Instructions: 17nativeCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID: Close
                        • String ID:
                        • API String ID: 3535843008-0
                        • Opcode ID: 989de0e4ba9f470ec29fa1517cce279e475158596a2d2b34bb9a21bd8a9c7678
                        • Instruction ID: 63963c4cb3a13f108347009de04fe9ed056a2900d7d780687d8c575bc5b42c61
                        • Opcode Fuzzy Hash: 989de0e4ba9f470ec29fa1517cce279e475158596a2d2b34bb9a21bd8a9c7678
                        • Instruction Fuzzy Hash: ADD05E51E1960541FF2667A1A1413B802D09F99754F084032CF8D8B3E6FFBC98858323
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE2005020 Relevance: 1.4, Strings: 1, Instructions: 170COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: -R+
                        • API String ID: 0-215093852
                        • Opcode ID: a69d413b79185468db85dbb00f48a44d5861eab96bdbded0aef1ed2497344779
                        • Instruction ID: c23b28e65dae13078f0778655468f21bceadb4aea8c98a91e88888c8b89de32e
                        • Opcode Fuzzy Hash: a69d413b79185468db85dbb00f48a44d5861eab96bdbded0aef1ed2497344779
                        • Instruction Fuzzy Hash: 27714C22F0864695FB10DB61A4907EE67E6BF84344F940436DB4D87BCAEFB8E844C701
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE2023150 Relevance: .8, Instructions: 815COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 6e02d7232f7d78f7ca0faad9d780fd8464de4486dd722750a79ab276c840cf46
                        • Instruction ID: 3a3c9c23a3d81ec2c4fc490f6a26df4737d673b1c2c7f9a895fc5f3b279d1b30
                        • Opcode Fuzzy Hash: 6e02d7232f7d78f7ca0faad9d780fd8464de4486dd722750a79ab276c840cf46
                        • Instruction Fuzzy Hash: 6872C0A2E0879689EA258B15D4403B96BE5FB85F84F454032CB0E87BD6FFBCE545C342
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE200AA70 Relevance: .5, Instructions: 521COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: b19558ec1b563e986aa672bfca4787e0e090a2c27d84b71e98bd82cf27a827a9
                        • Instruction ID: 11a57a14fb7744ba2807bac76f09426ce1747e28ab86193065827846ba089100
                        • Opcode Fuzzy Hash: b19558ec1b563e986aa672bfca4787e0e090a2c27d84b71e98bd82cf27a827a9
                        • Instruction Fuzzy Hash: D1228126E0850286FA20EB609556BBE62D2BF84744F504936DF4EC77DAFFBCE5058342
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE2037650 Relevance: .2, Instructions: 183COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: cf29eca0b171afe8396e126662ca67977e5409f618f66687fc56cdd30206c93e
                        • Instruction ID: 9dce7d47cbf6b0274aee2a61384587b2ec1c6e7417a0dd4661589d40aa062879
                        • Opcode Fuzzy Hash: cf29eca0b171afe8396e126662ca67977e5409f618f66687fc56cdd30206c93e
                        • Instruction Fuzzy Hash: BD61C521F1864241FA66AB615550B7A52D1EF843A4F480236EF6D86FD9FFBCE805CA03
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE20076E0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 217COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 0 7fffe20076e0-7fffe2007703 call 7fffe20184e0 3 7fffe2007705-7fffe200770a 0->3 4 7fffe2007762-7fffe2007795 call 7fffe20184f0 call 7fffe20053a0 call 7fffe2011660 call 7fffe2019ad0 0->4 6 7fffe200770c-7fffe200770f 3->6 7 7fffe2007753-7fffe2007760 call 7fffe20186f0 3->7 25 7fffe2007797-7fffe20077a1 4->25 26 7fffe20077a5-7fffe20077b5 call 7fffe2005020 4->26 9 7fffe200772d-7fffe2007752 call 7fffe2004b50 call 7fffe20184f0 6->9 10 7fffe2007711-7fffe200772c call 7fffe20184f0 6->10 7->4 7->10 25->26 29 7fffe20077b7-7fffe20077ca call 7fffe2024530 26->29 30 7fffe20077e2-7fffe20077f4 26->30 29->30 38 7fffe20077cc-7fffe20077d6 29->38 31 7fffe200784b-7fffe200785d call 7fffe2019ad0 30->31 32 7fffe20077f6-7fffe20077f9 30->32 44 7fffe200786d-7fffe2007877 call 7fffe202ddc0 31->44 45 7fffe200785f-7fffe2007864 31->45 35 7fffe20077fb-7fffe200780d call 7fffe2019ad0 32->35 36 7fffe2007811-7fffe2007814 32->36 35->36 51 7fffe200780f FreeConsole 35->51 41 7fffe2007816-7fffe2007842 call 7fffe2005cd0 call 7fffe2010e20 36->41 42 7fffe2007843-7fffe2007845 call 7fffe20059f0 36->42 38->30 43 7fffe20077d8-7fffe20077df 38->43 49 7fffe200784a 42->49 43->30 55 7fffe2007879-7fffe2007881 call 7fffe20076e0 44->55 56 7fffe2007886-7fffe20078c8 call 7fffe2001260 call 7fffe2016920 call 7fffe2010e20 call 7fffe2019ad0 44->56 45->44 49->31 51->36 55->56 67 7fffe20078db-7fffe20078f0 call 7fffe2019ad0 56->67 68 7fffe20078ca-7fffe20078d6 call 7fffe2011310 56->68 73 7fffe2007906-7fffe200791b call 7fffe2019ad0 67->73 74 7fffe20078f2-7fffe2007901 call 7fffe2011310 67->74 68->67 79 7fffe200791d-7fffe200792c call 7fffe2011310 73->79 80 7fffe2007931-7fffe2007973 call 7fffe2012a60 call 7fffe2012000 call 7fffe2010e20 call 7fffe2010f10 73->80 74->73 79->80 91 7fffe200797e-7fffe20079cc call 7fffe2010f40 call 7fffe2012340 call 7fffe20114d0 call 7fffe2010e20 80->91 92 7fffe2007975-7fffe200797a 80->92 101 7fffe2007ae7-7fffe2007af9 call 7fffe2019ad0 91->101 102 7fffe20079d2-7fffe20079e3 91->102 92->91 105 7fffe2007afb-7fffe2007b00 101->105 106 7fffe2007b09-7fffe2007b33 call 7fffe2013fd0 call 7fffe2010e20 101->106 102->101 105->106
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID: ConsoleFree
                        • String ID: )8GV$UsS$UsS$d
                        • API String ID: 771614528-2529742583
                        • Opcode ID: e2026f5a81b11b51a6c2246cbce2da0ae47efb65c577484c0903535be8b00647
                        • Instruction ID: 04da4efb096f4c51c95ff4a432b08bddcabd7df34f8b941cf82e25c525ceb000
                        • Opcode Fuzzy Hash: e2026f5a81b11b51a6c2246cbce2da0ae47efb65c577484c0903535be8b00647
                        • Instruction Fuzzy Hash: E791D321F1864242FA55E761A0417BA63D2FF84780F944536EB5E87BDAFEBCE801C352
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE2032E60 Relevance: 6.3, APIs: 4, Instructions: 289registryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 111 7fffe2032e60-7fffe2032e89 112 7fffe2032e95 111->112 113 7fffe2032e8b-7fffe2032e93 111->113 114 7fffe2032e9a-7fffe2032ec3 call 7fffe2011a90 112->114 113->112 113->114 117 7fffe2032ec5 114->117 118 7fffe2032ec8-7fffe2032eda call 7fffe2019ad0 114->118 117->118 121 7fffe2032ee0-7fffe2032ef0 118->121 122 7fffe203312e 118->122 123 7fffe2033131-7fffe2033145 call 7fffe201d730 call 7fffe2010e20 121->123 126 7fffe2032ef6-7fffe2032efa 121->126 122->123 133 7fffe2033166-7fffe2033175 123->133 134 7fffe2033147-7fffe203314b 123->134 126->123 128 7fffe2032f00-7fffe2032f21 call 7fffe200fcc0 126->128 135 7fffe20330b5-7fffe20330c1 128->135 136 7fffe2032f27-7fffe2032f2c 128->136 138 7fffe2033181-7fffe2033199 call 7fffe200fcb0 133->138 139 7fffe2033177-7fffe203317b 133->139 134->133 137 7fffe203314d-7fffe203315f call 7fffe2019ad0 134->137 144 7fffe20330f3-7fffe203310d call 7fffe2010e20 135->144 145 7fffe20330c3-7fffe20330ca 135->145 140 7fffe2032f30-7fffe2032f3a 136->140 137->133 153 7fffe2033161 137->153 142 7fffe20332b9-7fffe20332d0 138->142 156 7fffe203319f-7fffe20331ad 138->156 139->138 139->142 146 7fffe2032f5f-7fffe2032f88 call 7fffe200fcb0 140->146 147 7fffe2032f3c-7fffe2032f40 140->147 144->133 160 7fffe203310f-7fffe2033113 144->160 145->144 151 7fffe20330cc-7fffe20330d0 145->151 169 7fffe2032f90-7fffe2032fa2 call 7fffe2019ad0 146->169 147->146 152 7fffe2032f42-7fffe2032f54 call 7fffe2019ad0 147->152 151->144 157 7fffe20330d2-7fffe20330e4 call 7fffe2019ad0 151->157 173 7fffe2032f56-7fffe2032f59 RegCloseKey 152->173 174 7fffe2032f5b 152->174 159 7fffe2033164 RegCloseKey 153->159 162 7fffe20331af-7fffe20331b5 156->162 163 7fffe20331bb-7fffe20331cc call 7fffe200fcc0 156->163 171 7fffe20330e6 157->171 172 7fffe20330eb 157->172 159->133 160->133 168 7fffe2033115-7fffe2033127 call 7fffe2019ad0 160->168 162->142 162->163 178 7fffe20331f8-7fffe2033203 call 7fffe202ddc0 163->178 179 7fffe20331ce 163->179 168->133 185 7fffe2033129-7fffe203312c 168->185 181 7fffe2032fc0-7fffe2032fea call 7fffe2013300 call 7fffe2016180 call 7fffe2010e20 169->181 182 7fffe2032fa4-7fffe2032fba RegEnumKeyW 169->182 171->172 172->144 173->174 174->146 178->142 192 7fffe2033209-7fffe2033234 call 7fffe2010180 call 7fffe200fcc0 call 7fffe2010280 178->192 183 7fffe20331d0-7fffe20331e5 call 7fffe200fcb0 179->183 205 7fffe2032ff5-7fffe2033011 call 7fffe2019ad0 181->205 206 7fffe2032fec-7fffe2032ff3 181->206 182->181 186 7fffe20330b2 182->186 194 7fffe20331ef-7fffe20331f2 183->194 195 7fffe20331e7-7fffe20331eb 183->195 185->159 186->135 209 7fffe2033236-7fffe2033263 call 7fffe200fcb0 * 2 call 7fffe2016d80 192->209 210 7fffe2033268-7fffe20332b8 call 7fffe200fcb0 call 7fffe2032e60 call 7fffe200fca0 192->210 194->142 194->178 195->183 198 7fffe20331ed 195->198 198->178 214 7fffe203303f 205->214 215 7fffe2033013-7fffe203303d RegOpenKeyExW 205->215 206->169 209->210 218 7fffe2033041-7fffe2033059 call 7fffe2011180 214->218 215->218 225 7fffe2033071-7fffe203308d call 7fffe2011ab0 218->225 226 7fffe203305b-7fffe203306c call 7fffe2011b60 218->226 225->135 233 7fffe203308f-7fffe2033093 225->233 226->225 233->135 234 7fffe2033095-7fffe20330aa 233->234 234->140 235 7fffe20330b0 234->235 235->135
                        APIs
                        • RegCloseKey.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,80000002), ref: 00007FFFE2032F59
                        • RegEnumKeyW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,80000002), ref: 00007FFFE2032FB4
                        • RegOpenKeyExW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,80000002), ref: 00007FFFE2033039
                        • RegCloseKey.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,80000002,?), ref: 00007FFFE2033164
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID: Close$EnumOpen
                        • String ID:
                        • API String ID: 138425441-0
                        • Opcode ID: 094364c0fc53dfd3419dc33cb0b34909bd5a0213225207366fa796a507a74dab
                        • Instruction ID: 3265719f54c063555cf0d0619f3a39722e79da52a629564d473f9b0a71bffcc7
                        • Opcode Fuzzy Hash: 094364c0fc53dfd3419dc33cb0b34909bd5a0213225207366fa796a507a74dab
                        • Instruction Fuzzy Hash: F1C1A421E0D68146EA609B55E4C17BAA3D1EF85BA0F444232EF6D877C5EFACE8058742
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0000021A154B2264 Relevance: 6.2, APIs: 4, Instructions: 230memoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Memory Dump Source
                        • Source File: 00000001.00000002.259268978.0000021A154B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000021A154B0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_21a154b0000_loaddll64.jbxd
                        Similarity
                        • API ID: ProtectVirtual$NodeRemove
                        • String ID:
                        • API String ID: 3879549435-0
                        • Opcode ID: 998c333fcbc94d6503e1fd2d6b22b9b8446f434769f01d9b0eba9ba6cd5b82e5
                        • Instruction ID: 6ff37657e24f890815b9593d0d86426ddf2f42c1ab27cfb81eeee6e07c1c09ec
                        • Opcode Fuzzy Hash: 998c333fcbc94d6503e1fd2d6b22b9b8446f434769f01d9b0eba9ba6cd5b82e5
                        • Instruction Fuzzy Hash: B6B162B6619BC486D730CB1AE440BDEB7A1F7D9B80F108126EE8D57B59DB39C8418F40
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE202F550 Relevance: 3.1, APIs: 2, Instructions: 141COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1111 7fffe202f550-7fffe202f585 call 7fffe2013360 1114 7fffe202f5a9-7fffe202f5ab 1111->1114 1115 7fffe202f587-7fffe202f5a4 call 7fffe2016bf0 call 7fffe2012fa0 call 7fffe2010e20 1111->1115 1117 7fffe202f5ad-7fffe202f5b2 1114->1117 1118 7fffe202f5cc-7fffe202f5de call 7fffe2019ad0 1114->1118 1115->1114 1121 7fffe202f5b4-7fffe202f5b7 1117->1121 1122 7fffe202f5c7 1117->1122 1127 7fffe202f5ff 1118->1127 1128 7fffe202f5e0-7fffe202f5ee 1118->1128 1123 7fffe202f5c0-7fffe202f5c5 1121->1123 1124 7fffe202f5b9-7fffe202f5be 1121->1124 1122->1118 1123->1118 1124->1118 1131 7fffe202f602-7fffe202f610 1127->1131 1137 7fffe202f5f0-7fffe202f5f7 call 7fffe201d730 1128->1137 1138 7fffe202f5f9-7fffe202f5fd 1128->1138 1133 7fffe202f672-7fffe202f67f 1131->1133 1134 7fffe202f612-7fffe202f624 1131->1134 1135 7fffe202f691 1133->1135 1136 7fffe202f681-7fffe202f683 1133->1136 1134->1133 1139 7fffe202f697-7fffe202f6ad call 7fffe2019ad0 1135->1139 1140 7fffe202f685-7fffe202f687 1136->1140 1141 7fffe202f689-7fffe202f68f 1136->1141 1137->1127 1137->1138 1138->1131 1146 7fffe202f6af-7fffe202f6d1 CreateFileW 1139->1146 1147 7fffe202f6d3 1139->1147 1140->1139 1141->1139 1148 7fffe202f6d5-7fffe202f6ef call 7fffe20177b0 call 7fffe20175b0 1146->1148 1147->1148 1153 7fffe202f6f1-7fffe202f6f9 call 7fffe201d730 1148->1153 1154 7fffe202f6fb-7fffe202f702 1148->1154 1161 7fffe202f75c-7fffe202f77b 1153->1161 1155 7fffe202f725-7fffe202f749 call 7fffe2016d10 call 7fffe2019ad0 1154->1155 1156 7fffe202f704-7fffe202f716 call 7fffe2019ad0 1154->1156 1155->1161 1168 7fffe202f74b-7fffe202f75a SetFileTime 1155->1168 1156->1155 1165 7fffe202f718-7fffe202f721 1156->1165 1165->1155 1168->1161
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 6e8f86152005a6839ce8279108474c1071937bd661db3fdf853356efa02972d9
                        • Instruction ID: dbe698fda066ab259bb591455344d1b5a03d794ed106e34bfdbcbe19eeebdaa7
                        • Opcode Fuzzy Hash: 6e8f86152005a6839ce8279108474c1071937bd661db3fdf853356efa02972d9
                        • Instruction Fuzzy Hash: EA511122F0868242E6609A61A4183BA2AD1FFC57C4F544437DF8E87BD6FFBDE4058342
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE202F7A0 Relevance: 3.1, APIs: 2, Instructions: 115fileCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID: File$PointerRead
                        • String ID:
                        • API String ID: 3154509469-0
                        • Opcode ID: 331b266690a51bd9e9e1afdd9bcb6d8da601ef13df602822ccb6855287193808
                        • Instruction ID: 4dd75bb66b91829c7eb08086201e003f0cc3eeb1b71e4ab1c51f1a91d7657b93
                        • Opcode Fuzzy Hash: 331b266690a51bd9e9e1afdd9bcb6d8da601ef13df602822ccb6855287193808
                        • Instruction Fuzzy Hash: B341B522F1868152EA50AB25A00477EA7D5EFC5780F540136EF8D87BDAEFBCD402CB42
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE2032810 Relevance: 3.1, APIs: 2, Instructions: 76registryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • RegQueryValueExA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFFE201961D), ref: 00007FFFE2032885
                        • RegQueryValueExA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFFE201961D), ref: 00007FFFE20328E8
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID: QueryValue
                        • String ID:
                        • API String ID: 3660427363-0
                        • Opcode ID: 153110234c8c42a34e500a1f5de43cae22c4755d4903ff5f4b2be1f0742d5997
                        • Instruction ID: 2af1f7100785b5bf8ebd824948038ddfe0ed2c6758d4fec1e93625b9fc363e07
                        • Opcode Fuzzy Hash: 153110234c8c42a34e500a1f5de43cae22c4755d4903ff5f4b2be1f0742d5997
                        • Instruction Fuzzy Hash: D521D327F1A65546EA14DB55A44027AA3D1EF84BE4F084132EF9C47BD8EFBCD881CB40
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE2031850 Relevance: 1.6, APIs: 1, Instructions: 144synchronizationCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 2234 7fffe2031850-7fffe203189e call 7fffe20316b0 call 7fffe2010ee0 2239 7fffe20318a0 2234->2239 2240 7fffe20318ec-7fffe20318fe call 7fffe2019ad0 2234->2240 2242 7fffe20318a8-7fffe20318ac 2239->2242 2248 7fffe2031910 2240->2248 2249 7fffe2031900-7fffe203190e 2240->2249 2244 7fffe2031a31-7fffe2031a34 2242->2244 2245 7fffe20318b2-7fffe20318bd call 7fffe2010ee0 2242->2245 2246 7fffe2031a41 2244->2246 2247 7fffe2031a36-7fffe2031a3c call 7fffe20177b0 2244->2247 2257 7fffe20318c3-7fffe20318d5 call 7fffe2019ad0 2245->2257 2258 7fffe203197c-7fffe2031998 call 7fffe2031490 call 7fffe2019ad0 2245->2258 2252 7fffe2031a44-7fffe2031a60 2246->2252 2247->2246 2253 7fffe2031913-7fffe203191d call 7fffe201d730 2248->2253 2249->2253 2253->2242 2263 7fffe203191f-7fffe2031922 2253->2263 2257->2246 2267 7fffe20318db-7fffe20318e7 2257->2267 2271 7fffe20319b5 2258->2271 2272 7fffe203199a-7fffe20319b3 CreateMutexA 2258->2272 2263->2244 2266 7fffe2031928 2263->2266 2269 7fffe2031930-7fffe2031949 call 7fffe2019ad0 2266->2269 2267->2244 2277 7fffe2031962-7fffe2031972 call 7fffe201d730 2269->2277 2278 7fffe203194b-7fffe203195c 2269->2278 2275 7fffe20319b8-7fffe20319c2 call 7fffe201d730 2271->2275 2272->2275 2281 7fffe2031a0f-7fffe2031a14 2275->2281 2282 7fffe20319c4-7fffe20319cf call 7fffe2010ee0 2275->2282 2277->2269 2286 7fffe2031974-7fffe2031977 2277->2286 2278->2247 2278->2277 2281->2244 2287 7fffe2031a16-7fffe2031a28 call 7fffe2019ad0 2281->2287 2282->2281 2290 7fffe20319d1-7fffe20319e3 call 7fffe2019ad0 2282->2290 2286->2252 2287->2244 2292 7fffe2031a2a 2287->2292 2295 7fffe20319e5-7fffe2031a02 2290->2295 2296 7fffe2031a0d 2290->2296 2292->2244 2297 7fffe2031a09-7fffe2031a0b 2295->2297 2296->2281 2297->2281
                        APIs
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID: CreateMutex
                        • String ID:
                        • API String ID: 1964310414-0
                        • Opcode ID: 98df9c23fb3c1cc9822635f67bb0725526e27280c442d60146d7ae702abe5b52
                        • Instruction ID: 182ee41d5ac445cc88f59f3922116d8d4dac357f07206cd207d46465d23b05e1
                        • Opcode Fuzzy Hash: 98df9c23fb3c1cc9822635f67bb0725526e27280c442d60146d7ae702abe5b52
                        • Instruction Fuzzy Hash: 7E519132E0865186EA64AB2190413B963D1EF88780F5C0436EB9D877C9FFB8E941C752
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE2031490 Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 00007FFFE20314EB
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID: DescriptorSecurity$ConvertString
                        • String ID:
                        • API String ID: 3907675253-0
                        • Opcode ID: e5a01e5b6f4bcb9f53f0f12f4ec44b20c3687552735649ec66f5e95aa87ef928
                        • Instruction ID: f8ecdebf3f5f2054d556fc876089fd4be389ae927c092468154c98cd2f5b4385
                        • Opcode Fuzzy Hash: e5a01e5b6f4bcb9f53f0f12f4ec44b20c3687552735649ec66f5e95aa87ef928
                        • Instruction Fuzzy Hash: 13213332A08B4692DA109F56A5402A9B3E1FF88784F844136EB8D47B85FFB8E555CB41
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE202F629 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • CreateFileW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,-0000006C,00007FFFE202F9E1), ref: 00007FFFE202F6CC
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID: CreateFile
                        • String ID:
                        • API String ID: 823142352-0
                        • Opcode ID: 6ca514271aa2ccbf9e65c64331e76054333795a0ac3006ee3468cb6e7d957d7b
                        • Instruction ID: 3e34abda9ae16cf53dd93391cd5566c9ca0e70d555a287988bdf218043e4a440
                        • Opcode Fuzzy Hash: 6ca514271aa2ccbf9e65c64331e76054333795a0ac3006ee3468cb6e7d957d7b
                        • Instruction Fuzzy Hash: C911C123E0864642E6709B11A0083BA6BD1FB857C0F580136CB8E877D2EFBDE4458742
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE202F642 Relevance: 1.6, APIs: 1, Instructions: 51filetimeCOMMON
                        Download Yara Rule
                        APIs
                        • CreateFileW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,-0000006C,00007FFFE202F9E1), ref: 00007FFFE202F6CC
                        • SetFileTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,-0000006C,00007FFFE202F9E1), ref: 00007FFFE202F75A
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID: File$CreateTime
                        • String ID:
                        • API String ID: 1043708186-0
                        • Opcode ID: 973ce17bb4547c66b01c4b264a2088b4b76e8460d13e934e161ee156961afb5c
                        • Instruction ID: 178a1f1d6f05383259a01172dc67bc642b084d4338a55e9c0313d948156ba1c5
                        • Opcode Fuzzy Hash: 973ce17bb4547c66b01c4b264a2088b4b76e8460d13e934e161ee156961afb5c
                        • Instruction Fuzzy Hash: E911A023E0864642E6609B11A0083BA67D1FBC57C4F580136DB8E877D2EFBCD4458742
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE202EC70 Relevance: 1.6, APIs: 1, Instructions: 51fileCOMMONLIBRARYCODE
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 2352 7fffe202ec70-7fffe202ec7e 2353 7fffe202ec80-7fffe202ec92 call 7fffe2019ad0 2352->2353 2356 7fffe202ecf1 2353->2356 2357 7fffe202ec94-7fffe202ec9f FindNextFileW 2353->2357 2358 7fffe202ecf6-7fffe202ed05 2356->2358 2359 7fffe202eca1-7fffe202eca8 call 7fffe201d730 2357->2359 2360 7fffe202ecaa-7fffe202ecaf 2357->2360 2359->2358 2359->2360 2362 7fffe202ecb1-7fffe202ecb8 2360->2362 2363 7fffe202ecc7-7fffe202ecd5 2360->2363 2362->2353 2365 7fffe202ecba-7fffe202ecbe 2362->2365 2366 7fffe202ecd7-7fffe202ecd9 2363->2366 2367 7fffe202ecdb-7fffe202ecde 2363->2367 2365->2363 2370 7fffe202ecc0-7fffe202ecc5 2365->2370 2366->2367 2368 7fffe202ece4-7fffe202ecf0 2366->2368 2367->2353 2369 7fffe202ece0-7fffe202ece2 2367->2369 2369->2353 2369->2368 2370->2353 2370->2363
                        APIs
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID: FileFindNext
                        • String ID:
                        • API String ID: 2029273394-0
                        • Opcode ID: 2d1af1827b1d2d8801b2412dc35ce498f73b9e34e8d93c721a21e2f45014ebc3
                        • Instruction ID: 6f6e9a22d3d84e86738f320dc77c3a6d198b9b3a4921d7e22fc63492c3ce04a1
                        • Opcode Fuzzy Hash: 2d1af1827b1d2d8801b2412dc35ce498f73b9e34e8d93c721a21e2f45014ebc3
                        • Instruction Fuzzy Hash: FC117062E5824242FB669AA5910137917E1EF94788F242033DF4C873C6FFACF892C752
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE202F658 Relevance: 1.6, APIs: 1, Instructions: 50filetimeCOMMON
                        Download Yara Rule
                        APIs
                        • CreateFileW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,-0000006C,00007FFFE202F9E1), ref: 00007FFFE202F6CC
                        • SetFileTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,-0000006C,00007FFFE202F9E1), ref: 00007FFFE202F75A
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID: File$CreateTime
                        • String ID:
                        • API String ID: 1043708186-0
                        • Opcode ID: 3817820411cb0b7d10e5eb707ddb0433116a0647d05f245d578b53c1bb8bdb13
                        • Instruction ID: c307f829c7f06d468053eef31eefc149eea438fafa1b76f4de004cffd7f85af8
                        • Opcode Fuzzy Hash: 3817820411cb0b7d10e5eb707ddb0433116a0647d05f245d578b53c1bb8bdb13
                        • Instruction Fuzzy Hash: AB11CE23E0828682E6709B1160487BA67D1FB867C4F580136DB8E87BD2EFBCE445C742
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE202F668 Relevance: 1.5, APIs: 1, Instructions: 47filetimeCOMMON
                        Download Yara Rule
                        APIs
                        • CreateFileW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,-0000006C,00007FFFE202F9E1), ref: 00007FFFE202F6CC
                        • SetFileTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,-0000006C,00007FFFE202F9E1), ref: 00007FFFE202F75A
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID: File$CreateTime
                        • String ID:
                        • API String ID: 1043708186-0
                        • Opcode ID: 429c56346b2034a31c2cef6afb05b8ab541344bd3a6cb4c20de9bd7c4de172c1
                        • Instruction ID: d5d99b2d2d4457b27ccc7baa9c611e748f409ca4ad71e980fe109ffd45e7a058
                        • Opcode Fuzzy Hash: 429c56346b2034a31c2cef6afb05b8ab541344bd3a6cb4c20de9bd7c4de172c1
                        • Instruction Fuzzy Hash: 5601A123E0868642E6719B11B0083BA67D1FB857C0F580136DB8E87BD2EFBCD445C742
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE20326A0 Relevance: 1.5, APIs: 1, Instructions: 44registryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID: EnumValue
                        • String ID:
                        • API String ID: 2814608202-0
                        • Opcode ID: 2a2fcf5f9e350904fb3537f49a6c8ed5d60c26e41785605d00be1800cc27a701
                        • Instruction ID: cd89e54c2d4f70b576f4a31ea1a16ec3bb13f2acd17812087d7d0a285bb33101
                        • Opcode Fuzzy Hash: 2a2fcf5f9e350904fb3537f49a6c8ed5d60c26e41785605d00be1800cc27a701
                        • Instruction Fuzzy Hash: FE113376608B85C6D7209F51F44069AB7A4F788B80F588135EFDD43B44DF78E951CB04
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE20170F0 Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID: CreateHeap
                        • String ID:
                        • API String ID: 10892065-0
                        • Opcode ID: a96aac4b88726add19aa6c3416a26d510985dd403ff5de1f47f0639e7ae62027
                        • Instruction ID: 0730e360851f17b4fd3e8cb614089da102360f62c9c52ea4e3275fc590641cb5
                        • Opcode Fuzzy Hash: a96aac4b88726add19aa6c3416a26d510985dd403ff5de1f47f0639e7ae62027
                        • Instruction Fuzzy Hash: 7E01F261E0864182E7518B11F91076573E0FB893C4F088439DB8C8BBE9FF7CD4108702
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE20194A0 Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID: ComputerName
                        • String ID:
                        • API String ID: 3545744682-0
                        • Opcode ID: 4526fb13094574740442ec1fce12841928cd3a0c317f3c2e74dfc36f7abd771a
                        • Instruction ID: 553bf4f017df444d2a546353b6abe829bcc1e08b579b143cf91286c3879148f6
                        • Opcode Fuzzy Hash: 4526fb13094574740442ec1fce12841928cd3a0c317f3c2e74dfc36f7abd771a
                        • Instruction Fuzzy Hash: 04015EA1E2854642EA10EB15E8513BA9391FFC4784F445032EB8E877CBEFACD104C752
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE2017190 Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID: BoundaryDeleteDescriptor
                        • String ID:
                        • API String ID: 3203483114-0
                        • Opcode ID: b44d0d97fcddc966a4cbcc5758cd1c95ffa8e42aa7f6a023754a7351b8cc8eff
                        • Instruction ID: 23060da274b2b10afdb4f137e93ba485c4b1cd332e691f7a8ea0d60c63dda7bf
                        • Opcode Fuzzy Hash: b44d0d97fcddc966a4cbcc5758cd1c95ffa8e42aa7f6a023754a7351b8cc8eff
                        • Instruction Fuzzy Hash: 7EF05840F4A24601FE6A93E6581037102C26FC9380E1C843ACE1DCA7EAFEACEA458213
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0000021A154B2060 Relevance: 1.3, APIs: 1, Instructions: 67memoryCOMMON
                        Download Yara Rule
                        APIs
                        • VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,0000021A154B29A2), ref: 0000021A154B20B0
                        Memory Dump Source
                        • Source File: 00000001.00000002.259268978.0000021A154B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000021A154B0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_21a154b0000_loaddll64.jbxd
                        Similarity
                        • API ID: AllocVirtual
                        • String ID:
                        • API String ID: 4275171209-0
                        • Opcode ID: efef561593cea6ec73f14c0a970d655c71aa6a4b298494007811926080961454
                        • Instruction ID: 7829c7a6c27f50b4de113d2c109a52effa22644353fcd86a6faba1fe6e0dc751
                        • Opcode Fuzzy Hash: efef561593cea6ec73f14c0a970d655c71aa6a4b298494007811926080961454
                        • Instruction Fuzzy Hash: CC313AB6615B9086D790DF1AE49579A7BB1F389BD4F205026EF8D87B18DF3AC442CB00
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Non-executed Functions

                        Function 00007FFFE1FFC030 Relevance: 9.5, Strings: 7, Instructions: 762COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: 0020$0020$3050$3050$4040$GNOP$UsS
                        • API String ID: 0-786335679
                        • Opcode ID: ed1d2f42c23e7ce89336110dd01849b9e25a16ce266ba335491407c58ada4592
                        • Instruction ID: deaf38af03123939827d107ac247c23ffb9525536cba64208d0079a91c724e11
                        • Opcode Fuzzy Hash: ed1d2f42c23e7ce89336110dd01849b9e25a16ce266ba335491407c58ada4592
                        • Instruction Fuzzy Hash: AF728422E146C295EB20EF21C4957FD27A5FB94388F804032EB4D876DAEFB8D645C752
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE2009990 Relevance: 7.1, Strings: 5, Instructions: 866COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: S4$D$vfoR$vfoR$vfoR
                        • API String ID: 0-739406038
                        • Opcode ID: 10d6710cae7ca971f77dfc8776edba6a4515f60bac1f7199c9a42ddab1afb102
                        • Instruction ID: 7d4d021545e0160a13e434d16ffc5aa45a0eb9319872963d5d715c00333cac80
                        • Opcode Fuzzy Hash: 10d6710cae7ca971f77dfc8776edba6a4515f60bac1f7199c9a42ddab1afb102
                        • Instruction Fuzzy Hash: 96827F32E2864285FA10DB60D491AEE63A6FF84754F804932EB5E877DAEFBCD504C741
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE200BAE0 Relevance: 6.9, Strings: 5, Instructions: 645COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: S4$vfoR$vfoR$vfoR$vfoR
                        • API String ID: 0-2269768260
                        • Opcode ID: adae2a4293f29e102cd48f7afa572db09e3253633040e96132bbc2635344a77b
                        • Instruction ID: 0d2e417a157785bbc80ca1b9247cf549ebb0773c17dd966d72c04b6a605d4a3b
                        • Opcode Fuzzy Hash: adae2a4293f29e102cd48f7afa572db09e3253633040e96132bbc2635344a77b
                        • Instruction Fuzzy Hash: 7642C121E0864241FA50DBA19951BFE52D2AF857A4F404A32EF1E87BDEFFBCD5058342
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE2044FF0 Relevance: 5.7, Strings: 4, Instructions: 682COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: ERCP$VUUU$VUUU$VUUU
                        • API String ID: 0-2165971703
                        • Opcode ID: ee404d1add520d7237fb83d13fb568777b8ad25a2b9c9760a12c6af456185d0f
                        • Instruction ID: a3dbeae3e1393bc6a5c0894f6ee86b1b0ac23f2479d5d564f8ed5aa215fd5062
                        • Opcode Fuzzy Hash: ee404d1add520d7237fb83d13fb568777b8ad25a2b9c9760a12c6af456185d0f
                        • Instruction Fuzzy Hash: E0529272E096828AEB648F65D4403BD7BE1FB65758F148135DB4A97BC4EBBCE840C702
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE1FF6FE0 Relevance: 4.3, Strings: 3, Instructions: 509COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: )8GV$)8GV$@
                        • API String ID: 0-2802744955
                        • Opcode ID: df14e16af5b8b25d8657db8fb03c4a0eded2b82f23d0ac0627c9d21bda5b9b04
                        • Instruction ID: e40f0e375224018838ef32f9957ba1c1fdce5f2c725d5341160fc3582856d74a
                        • Opcode Fuzzy Hash: df14e16af5b8b25d8657db8fb03c4a0eded2b82f23d0ac0627c9d21bda5b9b04
                        • Instruction Fuzzy Hash: C2327422E2858295EB10EB61D8913FE63A1EF84384F844432EB5D877DAEFBCD505C752
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE1FD6790 Relevance: 4.2, Strings: 3, Instructions: 406COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: */*$GET$POST
                        • API String ID: 0-3233530491
                        • Opcode ID: 83322039a785882705bc5c248cb5c90b51b8136434b154b0fcc314e82beceef0
                        • Instruction ID: 800864130834f39fc6c4a7b6082e1ff48116ef15418ef84d1b0c394348a698c4
                        • Opcode Fuzzy Hash: 83322039a785882705bc5c248cb5c90b51b8136434b154b0fcc314e82beceef0
                        • Instruction Fuzzy Hash: BB125E32E14A8695EB10DF61E8913EE67A1FB84398F440032EB4D87BDAEF78D549C741
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE20091F0 Relevance: 4.1, Strings: 3, Instructions: 321COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: 0$vfoR$vfoR
                        • API String ID: 0-4254161263
                        • Opcode ID: 51792abe0de0f5e4227ea671e82b04f510dcac3e38aab29ced33764781292c95
                        • Instruction ID: 60a73bd13b17095c362ef8c92baeb29d383aa68d590c60cd214c5ba77f372ccd
                        • Opcode Fuzzy Hash: 51792abe0de0f5e4227ea671e82b04f510dcac3e38aab29ced33764781292c95
                        • Instruction Fuzzy Hash: D0D16F21E1864255FA10EBA1D451AFE63E6BF84784F844431EB4D87BDAFEB8E505C342
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE200B250 Relevance: 2.9, Strings: 2, Instructions: 387COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID: Close
                        • String ID: vfoR$vfoR
                        • API String ID: 3535843008-516101275
                        • Opcode ID: d68c05c269e0856f141819fb8aec3eb931da29321e3fb05c7c480120592a6f7f
                        • Instruction ID: 4666e71ef96043253df07164e21fa3d69c85b45371ea51af6f961586625c9bb0
                        • Opcode Fuzzy Hash: d68c05c269e0856f141819fb8aec3eb931da29321e3fb05c7c480120592a6f7f
                        • Instruction Fuzzy Hash: 98F16F22F1854255FA10EBA0D451AFE23E6AF94344F844432EB4E97BDEFF68E505C352
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE1FD2980 Relevance: 2.9, Strings: 2, Instructions: 387COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: UsS$UsS
                        • API String ID: 0-3680756722
                        • Opcode ID: ca1784d98d72a32ef2955aaabf6d9286b4b607680d65d4ba5b0d23f83ba88ea0
                        • Instruction ID: 05308d186282d3b0a86395fb2fe80b96a11760e28f7d295785a6de05d0221b05
                        • Opcode Fuzzy Hash: ca1784d98d72a32ef2955aaabf6d9286b4b607680d65d4ba5b0d23f83ba88ea0
                        • Instruction Fuzzy Hash: 7D025D22F2858295EB10EB61C4913FD67A6EF94344F804032EB4D87BDBEFA8D605C752
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE1FD18D0 Relevance: 2.8, Strings: 2, Instructions: 320COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: UsS$UsS
                        • API String ID: 0-3680756722
                        • Opcode ID: accf4ccef0468229073a633433cfcd735479b550edfeb75b76b8a83c2aa131ef
                        • Instruction ID: 242d443007b36267ff1ce2a0bd69a3454e92046f38162b284cef6843913cbc30
                        • Opcode Fuzzy Hash: accf4ccef0468229073a633433cfcd735479b550edfeb75b76b8a83c2aa131ef
                        • Instruction Fuzzy Hash: C2F14022E2858695EB10EB71D8913FD63A5FF90344F804132E74D87ADBEFA8E605C752
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE2032CA0 Relevance: 2.6, Strings: 2, Instructions: 121COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: ,q,\$,q,\
                        • API String ID: 0-1092452903
                        • Opcode ID: f69140d1d097abde5605ad08c727e404ec24c04b61612410df097ee112df520a
                        • Instruction ID: b1e3a533f83a862042b322c8aea2f82e917dc4748503915965ca3ecae7dfc724
                        • Opcode Fuzzy Hash: f69140d1d097abde5605ad08c727e404ec24c04b61612410df097ee112df520a
                        • Instruction Fuzzy Hash: BD419515F2452284FB04E77198916FD53E1AF94784F844036EF0E97BCAFEACD8018311
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE2006130 Relevance: 2.5, Strings: 1, Instructions: 1270COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: UsS
                        • API String ID: 0-2967771648
                        • Opcode ID: ccdbf549778d9b2fb99b56a6c513927dddaf990990d05859062aabd2e4cd42b3
                        • Instruction ID: 593a094b1abddf826a6d64d832b8a44c8384c5f58dce7b70acaa06a9c7470eb1
                        • Opcode Fuzzy Hash: ccdbf549778d9b2fb99b56a6c513927dddaf990990d05859062aabd2e4cd42b3
                        • Instruction Fuzzy Hash: A4D23222E1858295FB60EB20C4917FD27A6EF94748F804432EB4D877DAEFACD645C352
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE1FDC5A0 Relevance: 2.1, Strings: 1, Instructions: 865COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: GET
                        • API String ID: 0-1805413626
                        • Opcode ID: fdfdd81782ba80640cf8fa89eac9344ea0c35907db9fc616a478851f6fe1f98e
                        • Instruction ID: aa0351f00259e612e93207544130fc5a10b81fe99af9660f9a5eaaa053334559
                        • Opcode Fuzzy Hash: fdfdd81782ba80640cf8fa89eac9344ea0c35907db9fc616a478851f6fe1f98e
                        • Instruction Fuzzy Hash: 0282AD22E2868681EB50DB26C4913FE67E1EF85784F841136EB4E876C6DF7CE505C782
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE1FE9D70 Relevance: 2.1, APIs: 1, Instructions: 609COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 82f6cda7ad3ffcb3062a010f4d0b19f957e341b772c84b1646e1dc1d6d6796b0
                        • Instruction ID: 3d330c3d93e67c4f9ec6c0a989b182952c3fb93a9e1bdc10ca8601a766b7fb83
                        • Opcode Fuzzy Hash: 82f6cda7ad3ffcb3062a010f4d0b19f957e341b772c84b1646e1dc1d6d6796b0
                        • Instruction Fuzzy Hash: 27527122E1858245FB24EB71C8513FE67E6AF90754F840032EB4D87ADAEFACE505C352
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE1FE5420 Relevance: 1.9, Strings: 1, Instructions: 680COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID: Close
                        • String ID: ,q,\
                        • API String ID: 3535843008-3313482636
                        • Opcode ID: 144de97d44b8dba44902258673d11db0fda9bb3993c15c2f59eac723d5baa05e
                        • Instruction ID: 6ea322a50050caf72186a285aaa3caaf20109a431d3bee338355997385d3e13d
                        • Opcode Fuzzy Hash: 144de97d44b8dba44902258673d11db0fda9bb3993c15c2f59eac723d5baa05e
                        • Instruction Fuzzy Hash: DA628F62F1864255EB10EB71D8913FE67A1AF84344F844032EB4E87BDAEFACE505C742
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE1FE3CD0 Relevance: 1.8, Strings: 1, Instructions: 572COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID: CreateMutex
                        • String ID: z
                        • API String ID: 1964310414-1657960367
                        • Opcode ID: 4b9994ac1e4a59ff0097f7d3432afef402e4ba22e900be84fbeb42016cbf80e0
                        • Instruction ID: c0838382ed786aaf0b315631ebe60b17932d3c7cfaea6e7643aa18a125e1e358
                        • Opcode Fuzzy Hash: 4b9994ac1e4a59ff0097f7d3432afef402e4ba22e900be84fbeb42016cbf80e0
                        • Instruction Fuzzy Hash: C5524A32F14A81A6E74CEB71C5913ED63AAFB84344F804036E72D876C6EF78A165C752
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE1FF5050 Relevance: 1.8, Strings: 1, Instructions: 566COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: !hMy
                        • API String ID: 0-318797071
                        • Opcode ID: 0054c579ebb446baed1d042b130dd78ea7b526ad99192d2255272cc3319bf02e
                        • Instruction ID: 4b804622e6d668cf2b0a779c77cc00b695f051709d50aff24bb633af633a27fe
                        • Opcode Fuzzy Hash: 0054c579ebb446baed1d042b130dd78ea7b526ad99192d2255272cc3319bf02e
                        • Instruction Fuzzy Hash: C1427672E1858285EB24DB21D0513FE67E5FB59344F404032EBAE826E6EFBCE545C782
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE1FFA310 Relevance: 1.7, Strings: 1, Instructions: 488COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseEnumValue
                        • String ID: 'Q|
                        • API String ID: 858281747-3964534801
                        • Opcode ID: 5b8a3638be5054d4cc3a0461191fc2e6e53e97221920ec42823b496d1ef013d3
                        • Instruction ID: 5bbfe0a339173912984b844838ff4ce221bb003f2be479e5f5d083821cced8ba
                        • Opcode Fuzzy Hash: 5b8a3638be5054d4cc3a0461191fc2e6e53e97221920ec42823b496d1ef013d3
                        • Instruction Fuzzy Hash: 1C227E22F1854295FB20EB61D0913FD63E2EF84744F844132EA5E877DAEEACE505C792
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE2004360 Relevance: 1.7, Strings: 1, Instructions: 455COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: U
                        • API String ID: 0-3372436214
                        • Opcode ID: 8d2e89a5136f962c1a0ff915ac042d09c903eff160ebcbb84a6e5f82d7675dff
                        • Instruction ID: eb9f9a29a4d7f1a6f01c78bf33199049870b89929d9f9ab9454fffcd6bccdb56
                        • Opcode Fuzzy Hash: 8d2e89a5136f962c1a0ff915ac042d09c903eff160ebcbb84a6e5f82d7675dff
                        • Instruction Fuzzy Hash: 7D226A22E1858295FB10EB61D4917FD67A2AF81794F800432EB4D87BDAFFACE505C702
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE1FF4140 Relevance: 1.7, Strings: 1, Instructions: 430COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: Content-Type
                        • API String ID: 0-2058190213
                        • Opcode ID: f3e88dd0bbd242f0a14fb88e7671fb956b6f55a917220032bd6da0233da180ee
                        • Instruction ID: 0b844a51a08371dd5ea4d2a53015ffbbbbfde37410057513014bedcb0ca66538
                        • Opcode Fuzzy Hash: f3e88dd0bbd242f0a14fb88e7671fb956b6f55a917220032bd6da0233da180ee
                        • Instruction Fuzzy Hash: A6126F22E1868296EB24EB61D0953FD63E5EF49748F804031DB5E876C6EFBCE505C392
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE1FF69C0 Relevance: 1.7, Strings: 1, Instructions: 401COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: 0
                        • API String ID: 0-4108050209
                        • Opcode ID: 3cb71a8f4650edc72239d6fa7617abcfa16fb7fc0972600740451a528af230a8
                        • Instruction ID: 9d3dcd38de4979e60a591d996c86c3d8c551bbd43e7399944f9f8f553b657b1f
                        • Opcode Fuzzy Hash: 3cb71a8f4650edc72239d6fa7617abcfa16fb7fc0972600740451a528af230a8
                        • Instruction Fuzzy Hash: 3BF1B122F0879286EB149B22A4503BE67E1FB89784F444035EB9E87BD9EFBCD445C741
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE2003CF0 Relevance: 1.6, Strings: 1, Instructions: 364COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: -R+
                        • API String ID: 0-215093852
                        • Opcode ID: 9d6ac30669ea205a2cd5e52f942b8a3e4e54118a62b874c914748974eabf1c41
                        • Instruction ID: 054a5240fb677491e9f282f0201dfaef24e1a26c007eab03f3483026370e62b4
                        • Opcode Fuzzy Hash: 9d6ac30669ea205a2cd5e52f942b8a3e4e54118a62b874c914748974eabf1c41
                        • Instruction Fuzzy Hash: 7F02A022E1868295EB10DB20D4917FD67A2FF94354F804432EB4D97BDAEFB8DA05C312
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE1FF11B0 Relevance: 1.5, Strings: 1, Instructions: 271COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID: 0-3916222277
                        • Opcode ID: 265a4e99869444ef0cf395143b409c2fd497e2269bab8d03686b9e8e10ea483e
                        • Instruction ID: 24f603350c33ce6f8bf09ab48e673031737882a8047bde9c07eefe61332d79c0
                        • Opcode Fuzzy Hash: 265a4e99869444ef0cf395143b409c2fd497e2269bab8d03686b9e8e10ea483e
                        • Instruction Fuzzy Hash: 44B18221F1864645EB14EBB180513FD27A1AF89784F844436EE1E97BCAEEBCE506C342
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE1FFF6B0 Relevance: 1.5, Strings: 1, Instructions: 221COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID: 0-3916222277
                        • Opcode ID: 4222ed381f7124a9aa61c067fe866ca51987c8f0a0010fe3197f4878d1581578
                        • Instruction ID: c6385fcdcbfe255c8cb622261da61fa22a9d65d9703bc09606b50356aef70307
                        • Opcode Fuzzy Hash: 4222ed381f7124a9aa61c067fe866ca51987c8f0a0010fe3197f4878d1581578
                        • Instruction Fuzzy Hash: F3810E12F1928641EA14A75264503FE92D2FFC97C0F884435DE5E87BCAEEBCE905C752
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE1FF3D50 Relevance: 1.4, Strings: 1, Instructions: 195COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: `ngU
                        • API String ID: 0-1771476526
                        • Opcode ID: 99573f904c5d6b3ad7913296c3be0af2c30b65ad59d47746cb0cd9dafcb922a0
                        • Instruction ID: c43e700d69adb04696d684931998a54db60d97790b1e5a6e0675d48770c6400f
                        • Opcode Fuzzy Hash: 99573f904c5d6b3ad7913296c3be0af2c30b65ad59d47746cb0cd9dafcb922a0
                        • Instruction Fuzzy Hash: 92919022F1454295FB14EB62D0913FD63B6AF54788F844033EB4D87BDAEEA8E505C392
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE204B7A0 Relevance: 1.4, Strings: 1, Instructions: 149COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: ERCP
                        • API String ID: 0-1384759551
                        • Opcode ID: 5c0459b61386457cc212822abbe1eb74425903cd16e4a0cba1d06804f81f7a37
                        • Instruction ID: ea01262bc27f0824af1accabfa4da44ae5ba68dfa68810ad379d3008b5025f7c
                        • Opcode Fuzzy Hash: 5c0459b61386457cc212822abbe1eb74425903cd16e4a0cba1d06804f81f7a37
                        • Instruction Fuzzy Hash: D141A567B244558BE7189E2998212BA27D1F7E87817008438FBD7C3B8AED7CDE51C354
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE2020650 Relevance: .9, Instructions: 873COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 3a23402dcb1180928be73f021032140fa76fdfa08ccfcbd8a880ebe91c02dfd5
                        • Instruction ID: 70efa05c05f4898cbe720c0f500eb8ab080aa38ce4a53072e5b1c3321c855117
                        • Opcode Fuzzy Hash: 3a23402dcb1180928be73f021032140fa76fdfa08ccfcbd8a880ebe91c02dfd5
                        • Instruction Fuzzy Hash: 4382C062F0879681EA258B1194403B96BE6FB94B84F894033DB4D87BD6FFBCD945C342
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE2024BC0 Relevance: .8, Instructions: 808COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: d89b50f5d6e70e944bf997ae9bf9d896c702fbc6cbe5386261f1367441b146e7
                        • Instruction ID: 94fce406f86f7511cc0fc5eeac27a8b73918c169584ad6073c6ecdf72770db3c
                        • Opcode Fuzzy Hash: d89b50f5d6e70e944bf997ae9bf9d896c702fbc6cbe5386261f1367441b146e7
                        • Instruction Fuzzy Hash: FF72C062E0879681EA698B1594403B96BE5FF95B84F854033CB4D87BD6FFBCE841C342
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE2025840 Relevance: .8, Instructions: 797COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 6d9564631bb64ffe29847bbdae90a84bf0c515e7a69beb3f6f82f18a457d9d2a
                        • Instruction ID: e96d40cc4b0dc1a7644d255e263c20aa0e21f76586e4fcb4d79077b0f5a470f6
                        • Opcode Fuzzy Hash: 6d9564631bb64ffe29847bbdae90a84bf0c515e7a69beb3f6f82f18a457d9d2a
                        • Instruction Fuzzy Hash: 0372C262E0878682EA698B1594403B96BE5FF95B84F854037CB4D877D6FFBCE841C342
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE1FE7410 Relevance: .7, Instructions: 747COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID: Close
                        • String ID:
                        • API String ID: 3535843008-0
                        • Opcode ID: 82869b3d20cf08d3bb0b89ebc7d353287e46cf13ea39fec11df4e0fca45d4169
                        • Instruction ID: fbca7b6579ef7edc25ae222d17ec998159bb3a2d2faadb185f62422637982274
                        • Opcode Fuzzy Hash: 82869b3d20cf08d3bb0b89ebc7d353287e46cf13ea39fec11df4e0fca45d4169
                        • Instruction Fuzzy Hash: 50723F22F2864294EB00EB61C4966EE67A6EF94344FC04432FB4D876DAFFACD605C751
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE201F870 Relevance: .7, Instructions: 687COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 542562b88389569f02b4c188f5fe780a6c4839d75ff0dd8dfcb55320117c5c3a
                        • Instruction ID: 3c4dc2befaa9e9475901f61c1c2f5d6046813745c45531f55218cedf79ee84c4
                        • Opcode Fuzzy Hash: 542562b88389569f02b4c188f5fe780a6c4839d75ff0dd8dfcb55320117c5c3a
                        • Instruction Fuzzy Hash: 3052A062E08B8682EB648B15D4543B967E1FB95B84F854032CB4D877DAFFBCE940C342
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE204EF80 Relevance: .7, Instructions: 677COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: a27784a074e2bb7dca5615da6ac60503d5b4f0c137b04b5a13c1ab1661bc6fbb
                        • Instruction ID: 9cfbdcdb248e5c482fa5b5cdf2db50c20edfb71651a023a7799797c1a521b182
                        • Opcode Fuzzy Hash: a27784a074e2bb7dca5615da6ac60503d5b4f0c137b04b5a13c1ab1661bc6fbb
                        • Instruction Fuzzy Hash: 59627CB7A147458BD7648F26C08062C37B1F748F69B259236CF0D87789DB78E891CB92
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE1FEE9B0 Relevance: .7, Instructions: 675COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID: Close
                        • String ID:
                        • API String ID: 3535843008-0
                        • Opcode ID: 1bc31e9fd99bf61eae261105132e15a90afca940a9f7be67a277eb3e900f5e41
                        • Instruction ID: aef5f2096e9f682fc8b93b7d47c7ba15c031ed693deae022bd47e686c662d898
                        • Opcode Fuzzy Hash: 1bc31e9fd99bf61eae261105132e15a90afca940a9f7be67a277eb3e900f5e41
                        • Instruction Fuzzy Hash: 08627322E2854295EB50EB61D4516FE67A6EFC4384F804032EB4E87BDBEFACE504C751
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE1FD6E90 Relevance: .7, Instructions: 651COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: deb69c2a5230736778043cbd0bc1ebda3bcfc749184f887dec01cc491ae295b9
                        • Instruction ID: b8e5472b30bf3eefb000b6fbbaf9a2bcb96393e2c5eddd335375347eafdfc534
                        • Opcode Fuzzy Hash: deb69c2a5230736778043cbd0bc1ebda3bcfc749184f887dec01cc491ae295b9
                        • Instruction Fuzzy Hash: AB525F21E1868695EB00EB61D4517FE63E6FF84784F844032EA4E877DAEE7CE505C782
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE1FE8670 Relevance: .6, Instructions: 558COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 99c5a93dd67f47aab25769bcecfe8ebd736e904308b20bd8f6175fd1f5a27280
                        • Instruction ID: 6fb8342e050e8fa623021aea3ba2b339e68d2aa94ba94d4dd213207a988f496d
                        • Opcode Fuzzy Hash: 99c5a93dd67f47aab25769bcecfe8ebd736e904308b20bd8f6175fd1f5a27280
                        • Instruction Fuzzy Hash: 3C429122E1868245EB10EB61C8917FE67E6EF80754F804132EB4D87BDAEFB8D545C352
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE1FF4800 Relevance: .5, Instructions: 545COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 2fc65236ab716d8a42fb7df6a60cd012039533c07fcd427e14fdac1332e1422f
                        • Instruction ID: beaa5c12d2ed7c0716c3fcdc626345c1cddfa3e3924e17bf029016e65d1174c9
                        • Opcode Fuzzy Hash: 2fc65236ab716d8a42fb7df6a60cd012039533c07fcd427e14fdac1332e1422f
                        • Instruction Fuzzy Hash: 39328022F1464185EB14EB76C4913ED27E2AB88B98F545036EF4E877CAEEBCD145C381
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE1FE23F0 Relevance: .5, Instructions: 542COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: ea264c438c0441b916a6791c6cc774cf96eb49aedd983269a1d666abc4ffdff6
                        • Instruction ID: a9faad33328993a28f36cbf24b6d8e53904f8147ddc98aaaabfc75fb3a814d90
                        • Opcode Fuzzy Hash: ea264c438c0441b916a6791c6cc774cf96eb49aedd983269a1d666abc4ffdff6
                        • Instruction Fuzzy Hash: 2E329022E1854294EB14EB21D4912FE67A6EF84388F804132EB4D877DAFFBCD605C752
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE1FDB100 Relevance: .5, Instructions: 531COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: cda3ccd55855685aa00dfee100d980634f2106a18d1198699ea051f45c0eb924
                        • Instruction ID: fcdfb6a7e7a79364fad2e033a02cb537aabadcaddecb62334362a4a91c0e7831
                        • Opcode Fuzzy Hash: cda3ccd55855685aa00dfee100d980634f2106a18d1198699ea051f45c0eb924
                        • Instruction Fuzzy Hash: 76425F22E1868695EB10EB61C4957FD63A5FF84384F840032EB4D877DAEFB8D505C792
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE1FED890 Relevance: .5, Instructions: 528COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 0df97faa470cc14ee1ea29ac3b2b5636ba9c29bb124561b489458b05c2aadf2a
                        • Instruction ID: e1af330845e1c9791425f76a5b2156979ead5af16d9bac1a5ab0a5fa3bea0b46
                        • Opcode Fuzzy Hash: 0df97faa470cc14ee1ea29ac3b2b5636ba9c29bb124561b489458b05c2aadf2a
                        • Instruction Fuzzy Hash: EF328A22F14A9285EB20EF65D8503EE63E2FF84788F445136EA4D87B8AEF78D505C741
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE20089F0 Relevance: .5, Instructions: 525COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 7c9bb5c426b0aa65d6cb143277be5cd406a56d01223c295c5212ee621c83ba39
                        • Instruction ID: ff20429540ab92dc0495e9dd36df7204bbd951788efdd1ef52eb19666e978406
                        • Opcode Fuzzy Hash: 7c9bb5c426b0aa65d6cb143277be5cd406a56d01223c295c5212ee621c83ba39
                        • Instruction Fuzzy Hash: 41226122F0564685FA10EB21859ABBE23D6BF84B54F404936DF0DC77DAEEB8E505C342
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE1FE95C0 Relevance: .5, Instructions: 460COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 8b0b0e353f19a51b45f3cf3f382ef68060131e3ce82a89b9ca428450877d58f4
                        • Instruction ID: 50978350dc375ba9c6d78a82616018305c6c23aca29385487d29e389f0c9bc9a
                        • Opcode Fuzzy Hash: 8b0b0e353f19a51b45f3cf3f382ef68060131e3ce82a89b9ca428450877d58f4
                        • Instruction Fuzzy Hash: CD127022E1868245EB14EB71D8513FE67E5EF84754F840032EB4E86ADAEF7CE505C352
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE203E400 Relevance: .5, Instructions: 458COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 864b6e04eba79fb1f1c2c00804d95a1459f1085c4d03eeaec3fc0aab6bb9b9ea
                        • Instruction ID: 449bab740c504e4ac45af2f9d68c74915d11a7f07f254ef72003cd14b3dc9ea2
                        • Opcode Fuzzy Hash: 864b6e04eba79fb1f1c2c00804d95a1459f1085c4d03eeaec3fc0aab6bb9b9ea
                        • Instruction Fuzzy Hash: 87024863D0C2A685FB758B25808037A3BE1EF21744F154236DB8E827E5EBBCE941D712
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE1FDDE20 Relevance: .5, Instructions: 456COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 4edf79b435ffdcf01ca9a2f80b7dbabfc924cdcf4c8cbe4b37b1ec1218db0f0c
                        • Instruction ID: 89e639dcd67d27d7be4addcf7b4bed3ceaed8479d65742f73e39ad927f494c60
                        • Opcode Fuzzy Hash: 4edf79b435ffdcf01ca9a2f80b7dbabfc924cdcf4c8cbe4b37b1ec1218db0f0c
                        • Instruction Fuzzy Hash: 7A224E22F1868291EB14EB71C4917EE67A6EB84344F804436EB4D87BDAEFBCD205C741
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE1FD5C20 Relevance: .4, Instructions: 450COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 50d2b93ebdf18556efae1baa4f9cd6940db842e628aaa6e187870812b7cc1f0b
                        • Instruction ID: b40f9add35a7496a674176e30591824383040cb3debcd76daaa76a5593519a2b
                        • Opcode Fuzzy Hash: 50d2b93ebdf18556efae1baa4f9cd6940db842e628aaa6e187870812b7cc1f0b
                        • Instruction Fuzzy Hash: CC228022E2868695EB00EB21D4957FE63A5FB84784F804032EB4D877DAEF7CD505C792
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE20382A0 Relevance: .4, Instructions: 448COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: c53f4012b0480871982ac64a28f2ee8eae255394a1d712b6d00803f4338b0423
                        • Instruction ID: 110b9fe40948f3a0cc81a152247d0db2d9aa0e6f20d97a9aa494d0ba69e59a22
                        • Opcode Fuzzy Hash: c53f4012b0480871982ac64a28f2ee8eae255394a1d712b6d00803f4338b0423
                        • Instruction Fuzzy Hash: E5024C21F0464646FB64EB6194917FE23D6AF84388F444136EB4DC6BCAFFA8E505C342
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE2039410 Relevance: .4, Instructions: 440COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 4eeac367e98bdd2bb9ce4d04f9598199172ac38189345f1f401c2f390f2bcfb8
                        • Instruction ID: 505a41960c73a89ca5683b1983c021a6d5a22586abcb26a7cffc971fb0b239e6
                        • Opcode Fuzzy Hash: 4eeac367e98bdd2bb9ce4d04f9598199172ac38189345f1f401c2f390f2bcfb8
                        • Instruction Fuzzy Hash: D7027D36F086468AE714DF65D1856AE23E2FB84784F504436DF0E877CAEE78E805C741
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE1FDBB20 Relevance: .4, Instructions: 438COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: ba60be75c3be43243a870b10ccf3f8f45540b08a1954f30fb7fc2f5ec871ebbe
                        • Instruction ID: 1dd204d3f3ba6caf6bbdc717d65e67e5c6abf423321f260f11629e9d67f2df7c
                        • Opcode Fuzzy Hash: ba60be75c3be43243a870b10ccf3f8f45540b08a1954f30fb7fc2f5ec871ebbe
                        • Instruction Fuzzy Hash: 53127422E1868655EB10EB22D4913FD63A6FF85384F841032EB4D87BCAEEBCD505C742
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE203B260 Relevance: .4, Instructions: 422COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 8286dd72b750ee15d8723b82499ceb96252df748788e1d549023a65851bab086
                        • Instruction ID: a1b8a1b9c9931493b2aa5b6c3667c7e58fd935a451839cf42d8295fb038dcc24
                        • Opcode Fuzzy Hash: 8286dd72b750ee15d8723b82499ceb96252df748788e1d549023a65851bab086
                        • Instruction Fuzzy Hash: EA125122F2854295EB10EB61D8912FD67A6FF94788F804032EB4D87BDAEFB8D505C711
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE1FF872B Relevance: .4, Instructions: 396COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: ca7408c4dea25ae0be73eb1e11f37c85a72d6ae00c7dc052619b5fc7b38b5186
                        • Instruction ID: e86be7915f5eabfbf99c87f1b062bf5005dd43aa0fa6193b57400ca1ed3dc7ec
                        • Opcode Fuzzy Hash: ca7408c4dea25ae0be73eb1e11f37c85a72d6ae00c7dc052619b5fc7b38b5186
                        • Instruction Fuzzy Hash: AE129322F1868294EB10EB71D4913FD67A5EB95384F804032EB4D87BDAEFB8D644C752
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE20006A0 Relevance: .4, Instructions: 391COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 49698d6db8f5661b1ad867fe917790c6c823323194c01356e0167e2c469a189c
                        • Instruction ID: fdeb01728c7828360e70f631428c01df4e44b6689f2b814b46199b5f118c45f4
                        • Opcode Fuzzy Hash: 49698d6db8f5661b1ad867fe917790c6c823323194c01356e0167e2c469a189c
                        • Instruction Fuzzy Hash: 28027022F2864295FB00EB61D4916FD63A6EB94384F805432EB4D83BDAEFBCD605C751
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE1FE08B0 Relevance: .4, Instructions: 377COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: cf41776e144c64a1d5072b2ab72eb03de80cedf942308edde2e8701d51bf21ba
                        • Instruction ID: 25c4e7a4a69fc722d63f376ebfff37360886639aab1e3bb0862b61ea75bcaeb8
                        • Opcode Fuzzy Hash: cf41776e144c64a1d5072b2ab72eb03de80cedf942308edde2e8701d51bf21ba
                        • Instruction Fuzzy Hash: CB025D62B14A4299EB10DF71C0913EE3765EB44748F804036EF4E97BCAEEB9E609C751
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE1FE8FC0 Relevance: .4, Instructions: 376COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: d7931a658ac661ddd019a7431b5f2957f00a8c131d9bfe7029ace103e86ccc82
                        • Instruction ID: e85726bbe45b5d10e354df8212e58145b1c80ae25b50fca0c8a4f809b6ce4c5f
                        • Opcode Fuzzy Hash: d7931a658ac661ddd019a7431b5f2957f00a8c131d9bfe7029ace103e86ccc82
                        • Instruction Fuzzy Hash: 41F16222E1868245FB14EB61D8513FE63E5EF84354F840132EB4E866DAEFBCE505C752
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE1FEE110 Relevance: .4, Instructions: 370COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 41ee5e5d294b235c892767272f6d1e9a94d685714fe028828f690d5016b22dc3
                        • Instruction ID: baa01f3a703d28f8c083c02e817a99f7eee710e4ed68a64096eeaab51f8c5a2c
                        • Opcode Fuzzy Hash: 41ee5e5d294b235c892767272f6d1e9a94d685714fe028828f690d5016b22dc3
                        • Instruction Fuzzy Hash: D7025022E2854254FB10EB61D8517FE67E6AF94384F804032EB4D87BDBEFA8D505C752
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE203C780 Relevance: .4, Instructions: 359COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 18b3cd5f6198ef7be874bb914c6d0981fc37c4d625a98485d7f5bd3273c2bc18
                        • Instruction ID: b8df97554db86cedc48c876f882e4355dabe8990e208b2fb8510eed25a10dd43
                        • Opcode Fuzzy Hash: 18b3cd5f6198ef7be874bb914c6d0981fc37c4d625a98485d7f5bd3273c2bc18
                        • Instruction Fuzzy Hash: D3F16122E2858255EB50EB31D8913FD67A6EF94348F844032EB4DC6ADBEFB8D605C711
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE1FEA7D0 Relevance: .3, Instructions: 331COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 1bedf27138287655fc240ad79a4421bcc5fe940d80e1a0e548dfe17170149a68
                        • Instruction ID: c10b1792183f2d427ba99258a8a9db7b100cc46348034815489b407e37f3f93a
                        • Opcode Fuzzy Hash: 1bedf27138287655fc240ad79a4421bcc5fe940d80e1a0e548dfe17170149a68
                        • Instruction Fuzzy Hash: A6E18022E1868245FB10EB75D8513FE67E6EF90354F844032EB4D86ADAEFA8E505C742
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE1FFD550 Relevance: .3, Instructions: 331COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 4d39cbaac4b338871f11010f850639bf0525ee411b47aae962b1daa3caead41b
                        • Instruction ID: de1af7be98db76445b40e7ca70ada9f9a67bf43f8316a9f9f05b3ba1fc0efc76
                        • Opcode Fuzzy Hash: 4d39cbaac4b338871f11010f850639bf0525ee411b47aae962b1daa3caead41b
                        • Instruction Fuzzy Hash: D3E16422E18A4295EB00EB61D4516EE67A6FF94384F900132EF4D87BDAEFACD605C701
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE2035B50 Relevance: .3, Instructions: 304COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 0d57bfa444966e6f023a4221ec50df35c7c1dd19f5eed092e5a3a55c1e83c6de
                        • Instruction ID: 2141f3ed4035541890cb374cd372f214f86fea4c2333ee2be50bbdfd3a72bc6a
                        • Opcode Fuzzy Hash: 0d57bfa444966e6f023a4221ec50df35c7c1dd19f5eed092e5a3a55c1e83c6de
                        • Instruction Fuzzy Hash: B6C1471392C2D04BD7558B3664913BABFD0EB99388F180175EFC9D6BEBDA2CC2148B50
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE1FFDAA0 Relevance: .3, Instructions: 298COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: a37fc0be463cec26f620ca6216cb35e336945b852bc4d17c3f9d1dbec3c822f8
                        • Instruction ID: 4d19b48b237e31e3b81e060b73fa9fda609b3145d0a060c1dbad729d41a57899
                        • Opcode Fuzzy Hash: a37fc0be463cec26f620ca6216cb35e336945b852bc4d17c3f9d1dbec3c822f8
                        • Instruction Fuzzy Hash: 47D16122F2854291EB00EB61D4957EE67A6FB94384F900432EB4D87BDAEFBCD605C741
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE2000D10 Relevance: .3, Instructions: 295COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: bc0708fc1c73d8941a34065a4871eb711c6ad2856ca601ccbb6574e8ac45723f
                        • Instruction ID: e60a25dbc8116b305b99242ca7d8d26c7c14fd609524235ff8c72954fdd11cfc
                        • Opcode Fuzzy Hash: bc0708fc1c73d8941a34065a4871eb711c6ad2856ca601ccbb6574e8ac45723f
                        • Instruction Fuzzy Hash: 84C16E22F0854285FB20EB6590517FE67E3AF84388F484436EF4D967DAEEB8E505C352
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE1FFAC80 Relevance: .3, Instructions: 290COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID: FileFindNext
                        • String ID:
                        • API String ID: 2029273394-0
                        • Opcode ID: 024004a2f1e0aab5a08ac926a857df26225b1e34f16efa8be49430db83af4991
                        • Instruction ID: 326debc5aa35eb04773353ae1f1dded909045b04017eb327165be3217ddaffab
                        • Opcode Fuzzy Hash: 024004a2f1e0aab5a08ac926a857df26225b1e34f16efa8be49430db83af4991
                        • Instruction Fuzzy Hash: 1CD16D22E18A4295EB00EB61D4913FD67A5FF84784F844032EB5D877CAEFB8E505C752
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE2030770 Relevance: .3, Instructions: 287COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 2cc29ed68235f236e77f0bf7fd74c4fc817e4378d077e50c520afa71d43f1578
                        • Instruction ID: 2376a74414d6acf2db69dca4bfa30821c34cb76480cdaf9722337707d929aae2
                        • Opcode Fuzzy Hash: 2cc29ed68235f236e77f0bf7fd74c4fc817e4378d077e50c520afa71d43f1578
                        • Instruction Fuzzy Hash: 7BC13E21F1964295FB10EBA184953ED23E6AF54788F804432EF0D977DAFEB8E605C352
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE1FF3910 Relevance: .3, Instructions: 281COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 307f0f14a74e58f75e681ef2cc5d2378040a00e8304d47f44f5e290cb001da96
                        • Instruction ID: d07ff617448637d1bf3174e4749a9a803566cb6689b25e5d6263eb6d39221738
                        • Opcode Fuzzy Hash: 307f0f14a74e58f75e681ef2cc5d2378040a00e8304d47f44f5e290cb001da96
                        • Instruction Fuzzy Hash: EDB16D26F2462244EB04EB62D4516ED63A6BF89BC4F845036EE0D87BD6EEBCD505C312
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE203B960 Relevance: .3, Instructions: 281COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: d07156d8ecc689323fed5d66e6e385d9544b266ab4fbb8ee9d771530b16a358c
                        • Instruction ID: 1800d1f5353e08a60a2d43432a749ea016ad7cf8082b6a3fabcb527702972074
                        • Opcode Fuzzy Hash: d07156d8ecc689323fed5d66e6e385d9544b266ab4fbb8ee9d771530b16a358c
                        • Instruction Fuzzy Hash: 5EC16022F1860655FB24EB61C4913FD63A1AB54788F844436DF0E97BCAFEB8E509C352
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE2030F30 Relevance: .3, Instructions: 281COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 4f3d8e02df5bdca70f0916dcd3a0075590521a106d8d4394526b8a5d32c0bb22
                        • Instruction ID: b288e7af198e0babbca89a23eb6290e6d897c876d9e058838c617aaf8d2f493e
                        • Opcode Fuzzy Hash: 4f3d8e02df5bdca70f0916dcd3a0075590521a106d8d4394526b8a5d32c0bb22
                        • Instruction Fuzzy Hash: 6DC1A122F0864296EB14DB61D4903FC63E5AF88358F480632DB1D97BC6EFB8E565C351
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE2001D30 Relevance: .3, Instructions: 272COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 121bd04b884ab121c2460e1dd0a04212ad256fa3e1d652ae2b69580ac5b3422d
                        • Instruction ID: b2947418c75219cd1f68d524d655a14f7086f7085ff2e57d06a9c98fe15eda5b
                        • Opcode Fuzzy Hash: 121bd04b884ab121c2460e1dd0a04212ad256fa3e1d652ae2b69580ac5b3422d
                        • Instruction Fuzzy Hash: 7FC15C22F1864299FB20EBA0D4517FD63A6AF94348F844432DF0D96BDAEFB8D505C352
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE2034390 Relevance: .3, Instructions: 270COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: fab0db317bb450272c3d26bdef195c1e317ff54503270bf17904a0dba37ca863
                        • Instruction ID: 54dd06906c887fa5ac4bc638c5ec1778e189c10538f81429981777c912de57f1
                        • Opcode Fuzzy Hash: fab0db317bb450272c3d26bdef195c1e317ff54503270bf17904a0dba37ca863
                        • Instruction Fuzzy Hash: 0EA1F522E1868642EB618B2595947BA27E1EF843A4F544131EF1DCB7C9FFBCD901C742
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE20025C0 Relevance: .3, Instructions: 270COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: d63a7e414d8a8272c70ae752082dcafcd38557ac21e0a582004195ef42948494
                        • Instruction ID: de115cb9d2aa0ca906e9ec97629628688b1adc0b312a39874ace0e9d04cb9133
                        • Opcode Fuzzy Hash: d63a7e414d8a8272c70ae752082dcafcd38557ac21e0a582004195ef42948494
                        • Instruction Fuzzy Hash: F0B15C22F1854686FA14EB21D4517FE63E2AF94784F844432EB4D87BDAFEBCE5048742
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE203E48B Relevance: .3, Instructions: 258COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 3a38545368d800816d91fafedca056006431c0b1922fe48b29b4c2ab83955551
                        • Instruction ID: 5058ff2a960070c67fe65fb29a6138b286908b272330e9df0c509b70084a7004
                        • Opcode Fuzzy Hash: 3a38545368d800816d91fafedca056006431c0b1922fe48b29b4c2ab83955551
                        • Instruction Fuzzy Hash: 85A13A63C0C2A645FB758B21818137A7FE1EF21749F054232DB8A827D6E6BCE945D712
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE1FD7A40 Relevance: .3, Instructions: 255COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 416f41ac475a1bb2d945df44cd1e44e91a0a7360b86ad90bd37f89514c6d65ab
                        • Instruction ID: ef9b48e5ab0c9529dc69db1c701fd018cc861c89db2b6bc0c8d24c95215cec3c
                        • Opcode Fuzzy Hash: 416f41ac475a1bb2d945df44cd1e44e91a0a7360b86ad90bd37f89514c6d65ab
                        • Instruction Fuzzy Hash: 89B17121E1868295EB04EB61E4557FE63A2FF84784F801032EB4E877DAEE7CE505C751
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE2037AF0 Relevance: .3, Instructions: 255COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 0fe2c6bfb0624892a001b874f372e9dee793c9d2efb3cf2491bb8942c5ee9760
                        • Instruction ID: 102c13383423d200dffd204f8b03c36c7b7358e596ea8bd632326466e7a41b3c
                        • Opcode Fuzzy Hash: 0fe2c6bfb0624892a001b874f372e9dee793c9d2efb3cf2491bb8942c5ee9760
                        • Instruction Fuzzy Hash: 14A17D22F0864285FB11EB6194807AA23E5EF98784F440536EF5D87BD9FFB8D905C352
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE203E4AD Relevance: .2, Instructions: 250COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: dc8327572ae460ec67bee7642bc1df1dfc8e00bf19c98c3d2f0bb37742338d2b
                        • Instruction ID: 928012865dfb4210217338b297481bd710bdb8e99c520bdb23e4235a0bf75873
                        • Opcode Fuzzy Hash: dc8327572ae460ec67bee7642bc1df1dfc8e00bf19c98c3d2f0bb37742338d2b
                        • Instruction Fuzzy Hash: FCA13B63C0C2A685FB758B21818137A7FE1EF21749F054232DBCA827D5E6BCE945D712
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE203E494 Relevance: .2, Instructions: 248COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 92fc6e297697f72d3d55b197ac04fe50775a4f95a26f4c9e919e5e137ab98750
                        • Instruction ID: 2b3bd3fc233535bfc67ce69e5b1dc78487f53e45b9be1741a873dd0a77a32402
                        • Opcode Fuzzy Hash: 92fc6e297697f72d3d55b197ac04fe50775a4f95a26f4c9e919e5e137ab98750
                        • Instruction Fuzzy Hash: 3BA12B63C0C2A685FB758B21818137A7FE1EF21749F054232DBCA827D6E6BCE945D712
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE203E49D Relevance: .2, Instructions: 248COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 1e075c1df208aa39fb877a834bfc4403f559291216783e55fb63477ae2eadfdc
                        • Instruction ID: 9930c2495a1ffdb97e5a00ce9c15a313f6e2eceeac97724ce936bc2e1ef51080
                        • Opcode Fuzzy Hash: 1e075c1df208aa39fb877a834bfc4403f559291216783e55fb63477ae2eadfdc
                        • Instruction Fuzzy Hash: C9A12B63C0C2A685FB758B21818137A7FE1EF21749F054232DBCA827D6E6BCE945D712
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE203E4B6 Relevance: .2, Instructions: 248COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 20a2fa5d4e375044cfc16d96b5b502da69406d12098659286745a9d4aecf6a6c
                        • Instruction ID: 71da198d8aa09b55d5eb251a823cfeb91b4eb2c89eba20a7c6194dd63b84cb25
                        • Opcode Fuzzy Hash: 20a2fa5d4e375044cfc16d96b5b502da69406d12098659286745a9d4aecf6a6c
                        • Instruction Fuzzy Hash: 47A12B63C0C2A645FB758B21818137A7FE1EF21749F054232DBC9827D5E6BCE945DB12
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE203E4A6 Relevance: .2, Instructions: 248COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: b68406ce4345875cbc0110dbe212228596ffa7fd34d07f9d141f7f6a9cf54bfa
                        • Instruction ID: ae10832b23c55125474b47defb1a030a4f617001723382139c1479e3f06f7ae5
                        • Opcode Fuzzy Hash: b68406ce4345875cbc0110dbe212228596ffa7fd34d07f9d141f7f6a9cf54bfa
                        • Instruction Fuzzy Hash: FBA12B63C0C2A685FB758B21818137A7FE1EF21749F054232DBCA827D6E6BCE945D712
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE1FD1010 Relevance: .2, Instructions: 229COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: f34a7650f83c215ab71b07b7f710fbf19cd361bddfc39bbbc4e712bf1a42660a
                        • Instruction ID: 84f3775c12ae449cc11a49a7cd1249063c8849af18cc1c0983e884de40372930
                        • Opcode Fuzzy Hash: f34a7650f83c215ab71b07b7f710fbf19cd361bddfc39bbbc4e712bf1a42660a
                        • Instruction Fuzzy Hash: E1918D22F0968685FB50EB61D5517FE22E6AF84744F444432DE0E87BCAEE7CE505C382
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE1FFF1F0 Relevance: .2, Instructions: 218COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: e12a801f285ad8d7fd3008f077e8ebf0a219db12c7ccb511be44f64a4d25bfbd
                        • Instruction ID: 0fb7e57e52db91b8bbea4d7dfbf8e05ecb68d84b05eb8ee0c3a6ec3d1a46d98f
                        • Opcode Fuzzy Hash: e12a801f285ad8d7fd3008f077e8ebf0a219db12c7ccb511be44f64a4d25bfbd
                        • Instruction Fuzzy Hash: D9A16E22E1868255EB14EB61D4512FE63E6EF84784F840032EB4D87BDAEFBCE505C752
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE1FE65E0 Relevance: .2, Instructions: 218COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 639e66b3a2cee6d4bf0f24f4c54754700b2d7f331da3e3623bb8c31b24707812
                        • Instruction ID: 1d58b4afaa4e71e3ef4382aeef04dbf24abb25ebd589d12e30e9bf742e19baa8
                        • Opcode Fuzzy Hash: 639e66b3a2cee6d4bf0f24f4c54754700b2d7f331da3e3623bb8c31b24707812
                        • Instruction Fuzzy Hash: B0A13222F1454699FB10EB71D4512FD23E6AF94358F804432EB4D97ACAEFB8E605C392
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE1FE8340 Relevance: .2, Instructions: 211COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 76d9b8d353818c09a7bb29c74507ba60d098daf803a2f9059ac3f2bc95e9c783
                        • Instruction ID: 631d327c87f01404bd1799107cbcef7e7836a741ef230e611c9d9b9e7f203e5a
                        • Opcode Fuzzy Hash: 76d9b8d353818c09a7bb29c74507ba60d098daf803a2f9059ac3f2bc95e9c783
                        • Instruction Fuzzy Hash: B5910F22F1854299FB14EBB1C4917FD13A69F94388F844436EE0D97BCAFEA8D509C352
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE1FFE9A0 Relevance: .2, Instructions: 210COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID: Close
                        • String ID:
                        • API String ID: 3535843008-0
                        • Opcode ID: 602df0f912a0266826ae95382de917ca56f87244d0cca7282de58980134807f6
                        • Instruction ID: 55122cec0c20a1690c5a9297b22ba440cd26b41da5a46364a051ef379923e45a
                        • Opcode Fuzzy Hash: 602df0f912a0266826ae95382de917ca56f87244d0cca7282de58980134807f6
                        • Instruction Fuzzy Hash: FB917D22F2854291EB00EB61D4956EE67A6FF98784F841032EB4D83BDBEFACD504C751
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE200F870 Relevance: .2, Instructions: 207COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: b85e566c5cd1b3efafa7de1cf7fdb180de4cf711e5ead7e0c2a340013c9006fe
                        • Instruction ID: f80807f55b552806e4f223747647738215ea7be1ecf17a59e26a08bb355d7b13
                        • Opcode Fuzzy Hash: b85e566c5cd1b3efafa7de1cf7fdb180de4cf711e5ead7e0c2a340013c9006fe
                        • Instruction Fuzzy Hash: 7B81CB62E0864686FB209B2AD44467F67E2F785B90F184532CF8E877E5EEBCD441D312
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE1FF82E0 Relevance: .2, Instructions: 202COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: be0b807f580b01de70e4a1b0faf3c283f94bb89c829bdc9f1f20de9c8d5e0cfc
                        • Instruction ID: 1f82476c2a6b970b7ab3e37fbef39032f6b4dc8b99c86e2d7b89e7f4ed24be42
                        • Opcode Fuzzy Hash: be0b807f580b01de70e4a1b0faf3c283f94bb89c829bdc9f1f20de9c8d5e0cfc
                        • Instruction Fuzzy Hash: 02916022F1858286F710DB61D4553FE63E1AF98348F884432DB5D87BDAEFA8D944C382
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE2000300 Relevance: .2, Instructions: 200COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 7f081d7b1d390739adf9305e6587bd1f48f1a61c06a715782d880083b9f0217c
                        • Instruction ID: b3dd05c0751d9584cf3fa875297ce46bc72ed478c81b6b65ac2b46c36a9245c3
                        • Opcode Fuzzy Hash: 7f081d7b1d390739adf9305e6587bd1f48f1a61c06a715782d880083b9f0217c
                        • Instruction Fuzzy Hash: FC914F22F0854296FB14EBB0D5917FD23A3AF84354F440532EB1D97ADAEFA8E515C342
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE2036950 Relevance: .2, Instructions: 194COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 6399b058b5009f139946745756a349464e7e0b54664bb60de9d6b060e90caadf
                        • Instruction ID: 31fa2f60d0d53f2d31019902896c906014342ac9bcbf9632c4e0d0a117a1494d
                        • Opcode Fuzzy Hash: 6399b058b5009f139946745756a349464e7e0b54664bb60de9d6b060e90caadf
                        • Instruction Fuzzy Hash: 61815C22F1864295EB00EB71D4916FD23E6AF88788B844532EF0D87BCAEFA8D505C751
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE2002E10 Relevance: .2, Instructions: 182COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: c474a8b8f46222319b26cb071ed122845f7bf7ce6995da5b1bca4e9e5d02c830
                        • Instruction ID: d5838e8476f3a80102b3a9f0987963d747640d7f2aa7b4cd85f781ed2ae78522
                        • Opcode Fuzzy Hash: c474a8b8f46222319b26cb071ed122845f7bf7ce6995da5b1bca4e9e5d02c830
                        • Instruction Fuzzy Hash: 05717D21F0964259FB15EB61D160BBA52D2EF84788F444436EB0D87BCAFEBDE905C342
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE2037EC0 Relevance: .2, Instructions: 181COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 068ebe467bd9ac5c541298094c4c32a458db920a2e32a8a33f236951627f1ee7
                        • Instruction ID: f94f4c8b1d71d22ab4d082998785dcae0b2933e94becb6e335f5a5edac54a35b
                        • Opcode Fuzzy Hash: 068ebe467bd9ac5c541298094c4c32a458db920a2e32a8a33f236951627f1ee7
                        • Instruction Fuzzy Hash: D761CD21F0864640FA94EB659991BBE53D1AF853D0F444232EF6DC77DAFEBCE4058602
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE203A6B0 Relevance: .2, Instructions: 174COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: db7e862d4001b67508e2bd3fa39ba0ed0b07767f80160994c5a19eb21872bb2b
                        • Instruction ID: 8ae54703d85073395917bd9a8d6150d031f4af2ae2d1d0408e7c75cfb802a32a
                        • Opcode Fuzzy Hash: db7e862d4001b67508e2bd3fa39ba0ed0b07767f80160994c5a19eb21872bb2b
                        • Instruction Fuzzy Hash: FD712926F08A0689EB14DB65D4A03BD23E5EF84788F944436DF0D87BD9EE78D509C352
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE202F2C0 Relevance: .2, Instructions: 169COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 2ed1a739c42c08449b45b37414c8cd3848441664bdf3eeb46449515a973442f9
                        • Instruction ID: 9d684e138465b540ac0223a37bd6ba95aa76a3aec126d0621d2f6d61da20ee71
                        • Opcode Fuzzy Hash: 2ed1a739c42c08449b45b37414c8cd3848441664bdf3eeb46449515a973442f9
                        • Instruction Fuzzy Hash: C4614C22F1864656FB14AB61C4943BD66E5AF89388F844432DB0D87BCAFFACD901C752
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE1FD1620 Relevance: .2, Instructions: 166COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 970dab7250b1ce54a13ecc530ba181a6b6b02409c755a3ac5d52cccc13dfd420
                        • Instruction ID: 4a4a0a5b1d13eac3e7f889aea0454916541d28c00ef386b7b93b481d9d7af17d
                        • Opcode Fuzzy Hash: 970dab7250b1ce54a13ecc530ba181a6b6b02409c755a3ac5d52cccc13dfd420
                        • Instruction Fuzzy Hash: 9D617022E1C68241EB24DB25D0517BEA3E5EFC5784F845132EB5D87BCAEF6CE5008B91
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE20021D0 Relevance: .2, Instructions: 155COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID: Close
                        • String ID:
                        • API String ID: 3535843008-0
                        • Opcode ID: 8ecda3e2ff9cd4b6949365f6cfeb89124bb42b9b74d6f2d862b6d3e451d7a236
                        • Instruction ID: b56c933d0e4595b0823fd2619686584f2e31ab2f4c9087ec914d1945862e2ab0
                        • Opcode Fuzzy Hash: 8ecda3e2ff9cd4b6949365f6cfeb89124bb42b9b74d6f2d862b6d3e451d7a236
                        • Instruction Fuzzy Hash: A9715E32E1868199EB10DB61D4513ED77A2FB88348F844032EB4D87BDAEFB8D549CB11
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE203AAA0 Relevance: .2, Instructions: 150COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID: Close
                        • String ID:
                        • API String ID: 3535843008-0
                        • Opcode ID: f16ae13f9856630a68d036f05f6398bf9fe8e1434820712a574fdffe42c614ba
                        • Instruction ID: f8dadf228e5abe95c9ed7975d247193dd4450751c1f78db898566628b56d6019
                        • Opcode Fuzzy Hash: f16ae13f9856630a68d036f05f6398bf9fe8e1434820712a574fdffe42c614ba
                        • Instruction Fuzzy Hash: 10515022E1854252FB10EB61E4957AE67E2EF84344F840032EB4D87BDAEFACE544CB01
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE1FEE770 Relevance: .1, Instructions: 143COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 858677fbf316203460aa94a65e70c4fd5154324374360dd97f2f4db49883d19e
                        • Instruction ID: b62d185624e522cc212c4b38bae3612b1d02e98cc8dd075b47d35e0168851135
                        • Opcode Fuzzy Hash: 858677fbf316203460aa94a65e70c4fd5154324374360dd97f2f4db49883d19e
                        • Instruction Fuzzy Hash: 9951AE32E1868285EB10DB26E4513EEA7E1EBC4794F404136EB4D83BDAEE7CE501CB41
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE1FF3340 Relevance: .1, Instructions: 140COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 0dd418eb4968c47c39b92ab15dc91764e579aa79a503894954f7c4f08ce6dc40
                        • Instruction ID: 0f76204daef0c25ca14202d33004104b3fe4a49b17c23520679e041fef0c7d8a
                        • Opcode Fuzzy Hash: 0dd418eb4968c47c39b92ab15dc91764e579aa79a503894954f7c4f08ce6dc40
                        • Instruction Fuzzy Hash: E7612632904B8181E755DF31A440BED33E9FB89B88F984139DE9C4B39AEF798056D325
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE203A490 Relevance: .1, Instructions: 138COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 6b2f8259316eef25865c8b1b658ef5d94d98bdd5c5646de9e99b03e9184c2edc
                        • Instruction ID: e4c6fce3a8642af9e53afad0876ac1c1fb180a126c602b641f5d79d0274ff19c
                        • Opcode Fuzzy Hash: 6b2f8259316eef25865c8b1b658ef5d94d98bdd5c5646de9e99b03e9184c2edc
                        • Instruction Fuzzy Hash: 0C517222F2854291EA54EB22D5557AAA3A5FB85B80F845032EF4D83BC6EEACD504C741
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE2001B30 Relevance: .1, Instructions: 132COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: bb0c46d4a750ce3a55b7396da430579a2e5adfb96fd46f0065b1f23b7922809a
                        • Instruction ID: f81ae99e0d3950c7939c0936dc1fca77fca7ed37f66cfbb0088ae4c46ee98c9b
                        • Opcode Fuzzy Hash: bb0c46d4a750ce3a55b7396da430579a2e5adfb96fd46f0065b1f23b7922809a
                        • Instruction Fuzzy Hash: AD513D22F1854299FB10DBA1D451BFD63A6AB84788F844432EF0D96BCAEFB8D605C351
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE2000020 Relevance: .1, Instructions: 125COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 3b1e09958257ee9510f3817ac2b712190b5d7277ae8f027d5579a0ef8f4350ef
                        • Instruction ID: 59a0dfbf3e18be6b0bdfc32169963bf01738d343ec8b16b446f87ce3177706ca
                        • Opcode Fuzzy Hash: 3b1e09958257ee9510f3817ac2b712190b5d7277ae8f027d5579a0ef8f4350ef
                        • Instruction Fuzzy Hash: 1451C422E0860291EA10DB21C485BBE63A6FBC8790F854532EB0DC37D6EFBCE555C741
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE1FFE7B0 Relevance: .1, Instructions: 125COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: a55a70d6932864b25b2e09bc908ff7cb0e66ca249b8c2a17eb5dd4cfc0db4c08
                        • Instruction ID: 1922ffa99501da6d704ed3a8376f66885ce233b31b4ef133de46c6f5e6b1af9a
                        • Opcode Fuzzy Hash: a55a70d6932864b25b2e09bc908ff7cb0e66ca249b8c2a17eb5dd4cfc0db4c08
                        • Instruction Fuzzy Hash: 40517E22F1864255FB10EB61D4557FE67E1AF98348F840032EB4D82ADAEFBCD508C712
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE2032AE0 Relevance: .1, Instructions: 122COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 8b9d9218eb9137e8bf7c806d31a96cce2c5a72e58106cf94606879bbf3fb9086
                        • Instruction ID: de199fcca0123fa27798c507db0d9819d5c7fbc48664ea335d0c860375a52f01
                        • Opcode Fuzzy Hash: 8b9d9218eb9137e8bf7c806d31a96cce2c5a72e58106cf94606879bbf3fb9086
                        • Instruction Fuzzy Hash: A0414311F2856645FB14E77598916FD53E2AF88784F884036EF0D87BCAFEACD9018352
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE1FF3610 Relevance: .1, Instructions: 118COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 51cae36f1347006a21e48258a7678f566100a69f899d23d222ccb42ea04ef6e6
                        • Instruction ID: 8e0e976ab1a71de2fa92247e6b97d27162d8b78c1ac8ab26074d6941409be6ce
                        • Opcode Fuzzy Hash: 51cae36f1347006a21e48258a7678f566100a69f899d23d222ccb42ea04ef6e6
                        • Instruction Fuzzy Hash: DB510532A14B9085E744DF35A8403DD33A9FB48F88F58413AEB8D8A799EF788052C761
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE2005CD0 Relevance: .1, Instructions: 117COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 950fb3ef3dd9963066453056c048f5b9515225d2550e5ff24d77daff23bcf6eb
                        • Instruction ID: e373b71c5d87874fb75063d27fc6cc138b28a64eafdfc76e5de666cc1fe2b5d5
                        • Opcode Fuzzy Hash: 950fb3ef3dd9963066453056c048f5b9515225d2550e5ff24d77daff23bcf6eb
                        • Instruction Fuzzy Hash: 5F51E072B097418AE7649F70A0807AE36D2EB85348F54453AE74E4BFC9EFB9D401C742
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE1FF92C0 Relevance: .1, Instructions: 111COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID: CreateMutex
                        • String ID:
                        • API String ID: 1964310414-0
                        • Opcode ID: 0f83fb83ce63249eff397c980b2cf57edd6ff160189b14d93fb6ad85730a7e22
                        • Instruction ID: 25b6d70eef0970dfc41231f3d8d45b89c51f88cb75076b63cdf82687036f0bbc
                        • Opcode Fuzzy Hash: 0f83fb83ce63249eff397c980b2cf57edd6ff160189b14d93fb6ad85730a7e22
                        • Instruction Fuzzy Hash: 0B514832B14A82A2E748DB21D5803E9B3A9FB89340F948035DB9C57796DF78E576C701
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE1FF2F50 Relevance: .1, Instructions: 108COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 9c2991cb055db735a0f1adc65266ec9e89655ecb0b7e5a3bfafcbda55895fc8a
                        • Instruction ID: 8e91d765964f11d4d914157e547c650a87046a25105843b9f0ee2f5fef5e8c72
                        • Opcode Fuzzy Hash: 9c2991cb055db735a0f1adc65266ec9e89655ecb0b7e5a3bfafcbda55895fc8a
                        • Instruction Fuzzy Hash: 1651F532A14B9085E744CF35A8403DD33A8FB48F88F58413AEB8C8B799EF748152C361
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE2035760 Relevance: .1, Instructions: 93COMMONLIBRARYCODE
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 900783cf2b82165bbc4c81be3e39c4e4f419fa6110473d2e5b81127a5c51df69
                        • Instruction ID: 1e9d7179f8ab69a1c4f1d4022c04ca10123eaba23b940191e0eeebd5e2445ffb
                        • Opcode Fuzzy Hash: 900783cf2b82165bbc4c81be3e39c4e4f419fa6110473d2e5b81127a5c51df69
                        • Instruction Fuzzy Hash: 0731D666E08A4582F6644B06A4903797BD1EB9D740F988135DB8DD3BE4FEECD8028742
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE1FD5350 Relevance: .1, Instructions: 77COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: ca253c2dc0777abb74ea24734a75c4a8e5f0f1b0f7ebd927500de604d754ef0c
                        • Instruction ID: 88293810a26219506607d43d67de15ec249af37727e4c81ffd57d9c5bcda8ab8
                        • Opcode Fuzzy Hash: ca253c2dc0777abb74ea24734a75c4a8e5f0f1b0f7ebd927500de604d754ef0c
                        • Instruction Fuzzy Hash: DD310C32A14B5091E748DF25D9803E9B3A9FB88B84FA88036E79C47695DFB9D567C300
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFE1FD7E80 Relevance: .1, Instructions: 72COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000001.00000002.259525388.00007FFFE1FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFE1FD0000, based on PE: true
                        • Associated: 00000001.00000002.259519021.00007FFFE1FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259668356.00007FFFE2053000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259698830.00007FFFE2066000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000001.00000002.259705731.00007FFFE2068000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_1_2_7fffe1fd0000_loaddll64.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 776af0fbf55148e4a033b71485eb7ee79b9ad960b10dd65b8035556a282dd719
                        • Instruction ID: 2a084f53883dd71cae69d6b811ae1f181adf26358a83e4253460407cd4fabc65
                        • Opcode Fuzzy Hash: 776af0fbf55148e4a033b71485eb7ee79b9ad960b10dd65b8035556a282dd719
                        • Instruction Fuzzy Hash: A031C032A04B4480D744DF3599813E9B2E9FF98B88FAC8036D68C4A6E5DFBAC557D311
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Execution Graph

                        Execution Coverage:18.7%
                        Dynamic/Decrypted Code Coverage:100%
                        Signature Coverage:0%
                        Total number of Nodes:15
                        Total number of Limit Nodes:1
                        execution_graph 226 254a2cf2978 227 254a2cf2986 226->227 232 254a2cf2060 VirtualAlloc 227->232 229 254a2cf29a2 234 254a2cf2264 229->234 231 254a2cf29ba 233 254a2cf20c4 232->233 233->229 235 254a2cf230f 234->235 236 254a2cf238c VirtualProtect 234->236 235->236 237 254a2cf23ee 236->237 238 254a2cf244d VirtualProtect 237->238 239 254a2cf2507 VirtualProtect 238->239 240 254a2cf2544 238->240 239->240 242 254a2cf25c5 240->242 243 254a2cf258c RtlAvlRemoveNode 240->243 242->231 243->242

                        Callgraph

                        Executed Functions

                        Function 00000254A2CF2264 Relevance: 6.2, APIs: 4, Instructions: 230memoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Memory Dump Source
                        • Source File: 00000004.00000002.336657857.00000254A2CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000254A2CF0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_254a2cf0000_rundll32.jbxd
                        Similarity
                        • API ID: ProtectVirtual$NodeRemove
                        • String ID:
                        • API String ID: 3879549435-0
                        • Opcode ID: 998c333fcbc94d6503e1fd2d6b22b9b8446f434769f01d9b0eba9ba6cd5b82e5
                        • Instruction ID: 4cdb2757af6d0299ea0e7f706e0122255d4de7a87b663d4295d7ec7740d0887c
                        • Opcode Fuzzy Hash: 998c333fcbc94d6503e1fd2d6b22b9b8446f434769f01d9b0eba9ba6cd5b82e5
                        • Instruction Fuzzy Hash: A8B154B6618BC586E770CB1AE45079EB7A0F7C9B84F108026EE8D53B58DB7DC8918F44
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00000254A2CF2060 Relevance: 1.3, APIs: 1, Instructions: 67memoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,00000254A2CF29A2), ref: 00000254A2CF20B0
                        Memory Dump Source
                        • Source File: 00000004.00000002.336657857.00000254A2CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000254A2CF0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_254a2cf0000_rundll32.jbxd
                        Similarity
                        • API ID: AllocVirtual
                        • String ID:
                        • API String ID: 4275171209-0
                        • Opcode ID: efef561593cea6ec73f14c0a970d655c71aa6a4b298494007811926080961454
                        • Instruction ID: 1253e8589fae076c04d3e59fbeb314b882730c82d8d31210856d4a44f82d384a
                        • Opcode Fuzzy Hash: efef561593cea6ec73f14c0a970d655c71aa6a4b298494007811926080961454
                        • Instruction Fuzzy Hash: 77318072619B8086D790DF1AE45579A7BB0F389BC4F204026EF8D87B58DF7AC482CB04
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Execution Graph

                        Execution Coverage:18.7%
                        Dynamic/Decrypted Code Coverage:100%
                        Signature Coverage:0%
                        Total number of Nodes:15
                        Total number of Limit Nodes:1
                        execution_graph 226 18fac3a2978 227 18fac3a2986 226->227 232 18fac3a2060 VirtualAlloc 227->232 229 18fac3a29a2 234 18fac3a2264 229->234 231 18fac3a29ba 233 18fac3a20c4 232->233 233->229 235 18fac3a238c VirtualProtect 234->235 236 18fac3a230f 234->236 237 18fac3a23ee 235->237 236->235 238 18fac3a244d VirtualProtect 237->238 239 18fac3a2507 VirtualProtect 238->239 240 18fac3a2544 238->240 239->240 241 18fac3a25c5 240->241 243 18fac3a258c RtlAvlRemoveNode 240->243 241->231 243->241

                        Callgraph

                        Executed Functions

                        Function 0000018FAC3A2264 Relevance: 6.2, APIs: 4, Instructions: 230memoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Memory Dump Source
                        • Source File: 00000005.00000002.238895739.0000018FAC3A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000018FAC3A0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_5_2_18fac3a0000_rundll32.jbxd
                        Similarity
                        • API ID: ProtectVirtual$NodeRemove
                        • String ID:
                        • API String ID: 3879549435-0
                        • Opcode ID: 998c333fcbc94d6503e1fd2d6b22b9b8446f434769f01d9b0eba9ba6cd5b82e5
                        • Instruction ID: 627724e03d09abc28353c21365f2681f99eb9b8947a417d5b72fd1fb803ff7eb
                        • Opcode Fuzzy Hash: 998c333fcbc94d6503e1fd2d6b22b9b8446f434769f01d9b0eba9ba6cd5b82e5
                        • Instruction Fuzzy Hash: ADB15376618BC486D770CB1AE4407DAB7A1F7C9B90F10802AEE8D53B58DF3AC9528F40
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0000018FAC3A2060 Relevance: 1.3, APIs: 1, Instructions: 67memoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,0000018FAC3A29A2), ref: 0000018FAC3A20B0
                        Memory Dump Source
                        • Source File: 00000005.00000002.238895739.0000018FAC3A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000018FAC3A0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_5_2_18fac3a0000_rundll32.jbxd
                        Similarity
                        • API ID: AllocVirtual
                        • String ID:
                        • API String ID: 4275171209-0
                        • Opcode ID: efef561593cea6ec73f14c0a970d655c71aa6a4b298494007811926080961454
                        • Instruction ID: d7acad39fbe6bf5d5190cfa746cb06e0e5fb11a672e19849e0cccfa04b28171f
                        • Opcode Fuzzy Hash: efef561593cea6ec73f14c0a970d655c71aa6a4b298494007811926080961454
                        • Instruction Fuzzy Hash: 45314BB6615B8086D790DF1AE45479A7BB0F389BD4F204026EF8D87B18DF3AC4528B00
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Execution Graph

                        Execution Coverage:18.7%
                        Dynamic/Decrypted Code Coverage:100%
                        Signature Coverage:0%
                        Total number of Nodes:15
                        Total number of Limit Nodes:1
                        execution_graph 226 208b54f2978 227 208b54f2986 226->227 232 208b54f2060 VirtualAlloc 227->232 229 208b54f29a2 234 208b54f2264 229->234 231 208b54f29ba 233 208b54f20c4 232->233 233->229 235 208b54f230f 234->235 236 208b54f238c VirtualProtect 234->236 235->236 237 208b54f23ee 236->237 238 208b54f244d VirtualProtect 237->238 239 208b54f2507 VirtualProtect 238->239 240 208b54f2544 238->240 239->240 242 208b54f258c RtlAvlRemoveNode 240->242 243 208b54f25c5 240->243 242->243 243->231

                        Callgraph

                        Executed Functions

                        Function 00000208B54F2264 Relevance: 6.2, APIs: 4, Instructions: 230memoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Memory Dump Source
                        • Source File: 00000008.00000002.245959337.00000208B54F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000208B54F0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_208b54f0000_rundll32.jbxd
                        Similarity
                        • API ID: ProtectVirtual$NodeRemove
                        • String ID:
                        • API String ID: 3879549435-0
                        • Opcode ID: 998c333fcbc94d6503e1fd2d6b22b9b8446f434769f01d9b0eba9ba6cd5b82e5
                        • Instruction ID: e23d67b11b6fbe7b37737b24d45aa84253edb18b7ab31c96c1f36477acf06745
                        • Opcode Fuzzy Hash: 998c333fcbc94d6503e1fd2d6b22b9b8446f434769f01d9b0eba9ba6cd5b82e5
                        • Instruction Fuzzy Hash: CAB152B6618BC486D7308B1AE44079AB7A1F7C9B84F108026EECD93B59DF39C8818F44
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00000208B54F2060 Relevance: 1.3, APIs: 1, Instructions: 67memoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,00000208B54F29A2), ref: 00000208B54F20B0
                        Memory Dump Source
                        • Source File: 00000008.00000002.245959337.00000208B54F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000208B54F0000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_8_2_208b54f0000_rundll32.jbxd
                        Similarity
                        • API ID: AllocVirtual
                        • String ID:
                        • API String ID: 4275171209-0
                        • Opcode ID: efef561593cea6ec73f14c0a970d655c71aa6a4b298494007811926080961454
                        • Instruction ID: d24389d74a26ce5f0dad5c9c2b62699de6185902c0ebe35144db372d36f6b407
                        • Opcode Fuzzy Hash: efef561593cea6ec73f14c0a970d655c71aa6a4b298494007811926080961454
                        • Instruction Fuzzy Hash: 3F315EB6615B9086D790DF1AE45579A7BB0F389BD4F205026EF8D87B18DF3AC482CB04
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Execution Graph

                        Execution Coverage:18.7%
                        Dynamic/Decrypted Code Coverage:100%
                        Signature Coverage:0%
                        Total number of Nodes:15
                        Total number of Limit Nodes:1
                        execution_graph 226 1eb1b662978 227 1eb1b662986 226->227 232 1eb1b662060 VirtualAlloc 227->232 229 1eb1b6629a2 234 1eb1b662264 229->234 231 1eb1b6629ba 233 1eb1b6620c4 232->233 233->229 235 1eb1b66230f 234->235 236 1eb1b66238c VirtualProtect 234->236 235->236 237 1eb1b6623ee 236->237 238 1eb1b66244d VirtualProtect 237->238 239 1eb1b662544 238->239 242 1eb1b662507 VirtualProtect 238->242 241 1eb1b66258c RtlAvlRemoveNode 239->241 243 1eb1b6625c5 239->243 241->243 242->239 243->231

                        Callgraph

                        Executed Functions

                        Function 000001EB1B662264 Relevance: 6.2, APIs: 4, Instructions: 230memoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Memory Dump Source
                        • Source File: 00000009.00000002.253344938.000001EB1B660000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001EB1B660000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_1eb1b660000_rundll32.jbxd
                        Similarity
                        • API ID: ProtectVirtual$NodeRemove
                        • String ID:
                        • API String ID: 3879549435-0
                        • Opcode ID: 998c333fcbc94d6503e1fd2d6b22b9b8446f434769f01d9b0eba9ba6cd5b82e5
                        • Instruction ID: 6b7fe43f436adb19979644a2a4c9d3242201daa6d34992b390370907cf8c7fc8
                        • Opcode Fuzzy Hash: 998c333fcbc94d6503e1fd2d6b22b9b8446f434769f01d9b0eba9ba6cd5b82e5
                        • Instruction Fuzzy Hash: A9B15276618BC486D7308B5AF480BDEB7A0F7D9B90F10812AEE8D53B58DB39C8518F40
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 000001EB1B662060 Relevance: 1.3, APIs: 1, Instructions: 67memoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,000001EB1B6629A2), ref: 000001EB1B6620B0
                        Memory Dump Source
                        • Source File: 00000009.00000002.253344938.000001EB1B660000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001EB1B660000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_9_2_1eb1b660000_rundll32.jbxd
                        Similarity
                        • API ID: AllocVirtual
                        • String ID:
                        • API String ID: 4275171209-0
                        • Opcode ID: efef561593cea6ec73f14c0a970d655c71aa6a4b298494007811926080961454
                        • Instruction ID: d5a8a0a8c60eb33ac122bbaa1a93a2510b2f2077f0b03b2bec52e477d171d0e8
                        • Opcode Fuzzy Hash: efef561593cea6ec73f14c0a970d655c71aa6a4b298494007811926080961454
                        • Instruction Fuzzy Hash: 67312BB6619A90C6D790DF5AE49579A7BB0F389BD4F205026EF8D87B18DF39C4428B00
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Execution Graph

                        Execution Coverage:2.5%
                        Dynamic/Decrypted Code Coverage:100%
                        Signature Coverage:0%
                        Total number of Nodes:397
                        Total number of Limit Nodes:43
                        execution_graph 89267 7fffef987200 89268 7fffef987215 89267->89268 89269 7fffef98725f 89267->89269 89270 7fffef987229 89268->89270 89282 7fffef989ad0 89268->89282 89273 7fffef987252 89270->89273 89274 7fffef987190 89270->89274 89275 7fffef987195 89274->89275 89276 7fffef9871ee 89274->89276 89275->89276 89277 7fffef989ad0 _RunAllParam 2 API calls 89275->89277 89276->89273 89278 7fffef9871b5 89277->89278 89278->89276 89279 7fffef989ad0 _RunAllParam 2 API calls 89278->89279 89280 7fffef9871db 89279->89280 89280->89276 89281 7fffef9871e0 RtlReleasePrivilege 89280->89281 89281->89276 89284 7fffef989ae5 _RunAllParam 89282->89284 89283 7fffef989af2 89283->89270 89284->89283 89292 7fffef9886f0 89284->89292 89286 7fffef989b06 89287 7fffef989b1d 89286->89287 89298 7fffef9897d0 89286->89298 89287->89283 89316 7fffef988a60 89287->89316 89290 7fffef989b12 89290->89283 89291 7fffef9886f0 _RunAllParam 2 API calls 89290->89291 89291->89287 89293 7fffef988728 89292->89293 89295 7fffef988796 _RunAllParam 89293->89295 89296 7fffef9888a3 _RunAllParam 89293->89296 89322 7fffef9a5760 89293->89322 89295->89286 89296->89295 89297 7fffef989ad0 _RunAllParam 2 API calls 89296->89297 89297->89295 89299 7fffef9897f6 _RunAllParam 89298->89299 89326 7fffef989230 89299->89326 89301 7fffef989912 _RunAllParam 89304 7fffef989a43 _RunAllParam 89301->89304 89345 7fffef99ec40 LdrLoadDll FindNextFileW _RunAllParam 89301->89345 89304->89290 89306 7fffef98980c _RunAllParam 89306->89301 89307 7fffef989917 _RunAllParam 89306->89307 89330 7fffef986180 89306->89330 89335 7fffef99ec70 89306->89335 89341 7fffef980150 89307->89341 89309 7fffef989960 _RunAllParam 89310 7fffef989ad0 _RunAllParam FindNextFileW 89309->89310 89311 7fffef9899c4 _RunAllParam 89310->89311 89312 7fffef9899f2 89311->89312 89313 7fffef9899e0 LdrLoadDll 89311->89313 89312->89301 89314 7fffef989a02 _RunAllParam 89312->89314 89313->89312 89314->89304 89344 7fffef99ec40 LdrLoadDll FindNextFileW _RunAllParam 89314->89344 89317 7fffef988a78 _RunAllParam 89316->89317 89318 7fffef988b72 _RunAllParam 89317->89318 89319 7fffef9a5760 _RunAllParam 2 API calls 89317->89319 89321 7fffef988a8b _RunAllParam 89317->89321 89320 7fffef989ad0 _RunAllParam 2 API calls 89318->89320 89318->89321 89319->89317 89320->89321 89321->89283 89324 7fffef9a5792 89322->89324 89325 7fffef9a580c 89322->89325 89323 7fffef989ad0 _RunAllParam 2 API calls 89323->89324 89324->89323 89324->89325 89325->89293 89328 7fffef98923e _RunAllParam 89326->89328 89327 7fffef989270 _RunAllParam 89327->89306 89328->89327 89329 7fffef989ad0 _RunAllParam 2 API calls 89328->89329 89329->89327 89346 7fffef9855b0 89330->89346 89332 7fffef9a5760 _RunAllParam 2 API calls 89333 7fffef9861ca 89332->89333 89333->89306 89334 7fffef98619a 89334->89332 89339 7fffef99ec80 89335->89339 89336 7fffef989ad0 _RunAllParam LdrLoadDll 89336->89339 89337 7fffef99ec94 FindNextFileW 89337->89339 89339->89336 89339->89337 89340 7fffef99ece4 89339->89340 89352 7fffef98d730 89339->89352 89340->89306 89366 7fffef9800b0 89341->89366 89343 7fffef980170 89343->89309 89344->89304 89345->89304 89347 7fffef9855dc 89346->89347 89351 7fffef98566c _RunAllParam 89346->89351 89348 7fffef989ad0 _RunAllParam 2 API calls 89347->89348 89347->89351 89349 7fffef985619 _RunAllParam 89348->89349 89350 7fffef989ad0 _RunAllParam 2 API calls 89349->89350 89350->89351 89351->89334 89353 7fffef98d771 89352->89353 89354 7fffef98dd82 89353->89354 89355 7fffef9a5760 _RunAllParam 2 API calls 89353->89355 89359 7fffef98d928 _RunAllParam 89353->89359 89362 7fffef98d917 _RunAllParam 89353->89362 89354->89339 89355->89353 89356 7fffef988a60 _RunAllParam 2 API calls 89356->89354 89357 7fffef9897d0 _RunAllParam 2 API calls 89361 7fffef98daba 89357->89361 89358 7fffef9a5760 _RunAllParam 2 API calls 89358->89361 89360 7fffef989ad0 _RunAllParam 2 API calls 89359->89360 89359->89362 89360->89362 89361->89354 89361->89358 89363 7fffef98dc05 _RunAllParam 89361->89363 89365 7fffef98dbf4 _RunAllParam 89361->89365 89362->89357 89362->89365 89363->89354 89364 7fffef989ad0 _RunAllParam 2 API calls 89363->89364 89363->89365 89364->89365 89365->89354 89365->89356 89367 7fffef9800ce 89366->89367 89369 7fffef9800de 89366->89369 89372 7fffef986d80 LdrLoadDll FindNextFileW _RunAllParam 89367->89372 89371 7fffef980123 89369->89371 89373 7fffef986df0 89369->89373 89371->89343 89372->89369 89374 7fffef986e0d 89373->89374 89376 7fffef986e26 89373->89376 89375 7fffef989ad0 _RunAllParam 2 API calls 89374->89375 89374->89376 89375->89376 89376->89371 89377 7fffef9870f0 89378 7fffef987146 89377->89378 89379 7fffef987110 89377->89379 89381 7fffef989ad0 _RunAllParam 2 API calls 89378->89381 89380 7fffef989ad0 _RunAllParam 2 API calls 89379->89380 89382 7fffef98711f 89380->89382 89383 7fffef987155 89381->89383 89382->89378 89384 7fffef987128 RtlCreateHeap 89382->89384 89384->89378 89385 7fffef99ed10 89399 7fffef99ddc0 89385->89399 89388 7fffef989ad0 _RunAllParam 2 API calls 89389 7fffef99ed4e 89388->89389 89390 7fffef99ed53 FindFirstFileExW 89389->89390 89392 7fffef99eda4 89389->89392 89391 7fffef99ed78 89390->89391 89397 7fffef99ed95 89390->89397 89394 7fffef989ad0 _RunAllParam 2 API calls 89391->89394 89391->89397 89395 7fffef989ad0 _RunAllParam 2 API calls 89392->89395 89392->89397 89393 7fffef99edea 89394->89397 89395->89397 89396 7fffef98d730 _RunAllParam 2 API calls 89398 7fffef99ee52 89396->89398 89397->89393 89397->89396 89400 7fffef99ddeb 89399->89400 89401 7fffef99eb83 89400->89401 89438 7fffef986d10 89400->89438 89401->89388 89403 7fffef9a5760 _RunAllParam 2 API calls 89404 7fffef99de4c 89403->89404 89404->89403 89407 7fffef99e47a 89404->89407 89414 7fffef99e027 _RunAllParam 89404->89414 89420 7fffef99e016 _RunAllParam 89404->89420 89405 7fffef988a60 _RunAllParam 2 API calls 89405->89407 89406 7fffef9897d0 _RunAllParam 2 API calls 89418 7fffef99e1ab 89406->89418 89442 7fffef989540 89407->89442 89409 7fffef99e4e0 89484 7fffef98ca50 89409->89484 89412 7fffef99e54c 89512 7fffef98a2c0 89412->89512 89413 7fffef99e51f 89587 7fffef999410 NtClose LdrLoadDll FindNextFileW _RunAllParam 89413->89587 89419 7fffef989ad0 _RunAllParam 2 API calls 89414->89419 89414->89420 89416 7fffef9a5760 _RunAllParam 2 API calls 89416->89418 89418->89407 89418->89416 89422 7fffef99e2f7 _RunAllParam 89418->89422 89429 7fffef99e2e6 _RunAllParam 89418->89429 89419->89420 89420->89406 89420->89429 89421 7fffef99eb7c GetSystemInfo 89421->89401 89424 7fffef989ad0 _RunAllParam 2 API calls 89422->89424 89422->89429 89423 7fffef9a5760 _RunAllParam 2 API calls 89425 7fffef99e524 89423->89425 89424->89429 89425->89421 89425->89423 89430 7fffef99e716 _RunAllParam 89425->89430 89431 7fffef99e727 _RunAllParam 89425->89431 89426 7fffef988a60 _RunAllParam 2 API calls 89428 7fffef99eb70 89426->89428 89427 7fffef9897d0 _RunAllParam 2 API calls 89432 7fffef99e8ab 89427->89432 89428->89401 89428->89421 89429->89405 89429->89407 89430->89427 89437 7fffef99e9e3 _RunAllParam 89430->89437 89431->89430 89434 7fffef989ad0 _RunAllParam 2 API calls 89431->89434 89432->89401 89433 7fffef9a5760 _RunAllParam 2 API calls 89432->89433 89435 7fffef99e9f4 _RunAllParam 89432->89435 89432->89437 89433->89432 89434->89430 89435->89401 89436 7fffef989ad0 _RunAllParam 2 API calls 89435->89436 89435->89437 89436->89437 89437->89401 89437->89426 89439 7fffef986d41 89438->89439 89440 7fffef986d2d 89438->89440 89439->89404 89440->89439 89441 7fffef989ad0 _RunAllParam 2 API calls 89440->89441 89441->89439 89443 7fffef99ddc0 14 API calls 89442->89443 89444 7fffef989553 89443->89444 89445 7fffef989558 89444->89445 89446 7fffef980150 _RunAllParam 2 API calls 89444->89446 89445->89409 89448 7fffef9895a3 _RunAllParam 89446->89448 89449 7fffef9895de 89448->89449 89588 7fffef980280 89448->89588 89591 7fffef9a35d0 89449->89591 89451 7fffef9895f5 _RunAllParam 89595 7fffef9a2750 89451->89595 89453 7fffef989611 89598 7fffef9a2a70 89453->89598 89455 7fffef98961d _RunAllParam 89456 7fffef989664 89455->89456 89460 7fffef98962c _RunAllParam 89455->89460 89457 7fffef9a2750 3 API calls 89456->89457 89458 7fffef98967f 89457->89458 89459 7fffef9a2a70 4 API calls 89458->89459 89462 7fffef98968b _RunAllParam 89459->89462 89461 7fffef98964e 89460->89461 89605 7fffef96d410 89460->89605 89461->89409 89464 7fffef9a2750 3 API calls 89462->89464 89465 7fffef9896a9 89464->89465 89466 7fffef9a2a70 4 API calls 89465->89466 89467 7fffef9896b5 _RunAllParam 89466->89467 89468 7fffef9896f8 89467->89468 89469 7fffef9896c4 89467->89469 89470 7fffef98975c 89468->89470 89471 7fffef9896fd 89468->89471 89473 7fffef9896cc _RunAllParam 89469->89473 89475 7fffef989790 _RunAllParam 89469->89475 89470->89475 89478 7fffef989766 _RunAllParam 89470->89478 89472 7fffef98972d 89471->89472 89476 7fffef989701 _RunAllParam 89471->89476 89472->89475 89477 7fffef989732 _RunAllParam 89472->89477 89474 7fffef9896ee 89473->89474 89479 7fffef96d410 _RunAllParam 2 API calls 89473->89479 89474->89409 89475->89474 89480 7fffef96d410 _RunAllParam 2 API calls 89475->89480 89476->89474 89481 7fffef96d410 _RunAllParam 2 API calls 89476->89481 89477->89474 89483 7fffef96d410 _RunAllParam 2 API calls 89477->89483 89478->89474 89482 7fffef96d410 _RunAllParam 2 API calls 89478->89482 89479->89474 89480->89474 89481->89474 89482->89474 89483->89474 89485 7fffef98cab0 89484->89485 89486 7fffef9a5760 _RunAllParam 2 API calls 89485->89486 89492 7fffef98d099 89485->89492 89493 7fffef98cc37 _RunAllParam 89485->89493 89495 7fffef98ccc3 _RunAllParam 89485->89495 89486->89485 89487 7fffef98d700 89487->89412 89487->89413 89488 7fffef9897d0 _RunAllParam 2 API calls 89499 7fffef98cdba 89488->89499 89489 7fffef98d6d6 GetTokenInformation 89489->89487 89490 7fffef988a60 _RunAllParam 2 API calls 89490->89492 89491 7fffef9a5760 _RunAllParam 2 API calls 89491->89492 89492->89487 89492->89489 89492->89491 89501 7fffef98d277 _RunAllParam 89492->89501 89503 7fffef98d303 _RunAllParam 89492->89503 89494 7fffef989ad0 _RunAllParam 2 API calls 89493->89494 89493->89495 89494->89495 89495->89488 89508 7fffef98cef6 _RunAllParam 89495->89508 89496 7fffef9a5760 _RunAllParam 2 API calls 89496->89499 89497 7fffef988a60 _RunAllParam 2 API calls 89500 7fffef98d6d1 89497->89500 89498 7fffef9897d0 _RunAllParam 2 API calls 89505 7fffef98d403 89498->89505 89499->89487 89499->89496 89506 7fffef98cf07 _RunAllParam 89499->89506 89499->89508 89500->89487 89500->89489 89502 7fffef989ad0 _RunAllParam 2 API calls 89501->89502 89501->89503 89502->89503 89503->89498 89509 7fffef98d544 _RunAllParam 89503->89509 89504 7fffef9a5760 _RunAllParam 2 API calls 89504->89505 89505->89487 89505->89504 89505->89509 89510 7fffef98d555 _RunAllParam 89505->89510 89507 7fffef989ad0 _RunAllParam 2 API calls 89506->89507 89506->89508 89507->89508 89508->89487 89508->89490 89509->89487 89509->89497 89510->89487 89510->89509 89511 7fffef989ad0 _RunAllParam 2 API calls 89510->89511 89511->89509 89514 7fffef98a31e 89512->89514 89513 7fffef98a8fa 89674 7fffef9875b0 89513->89674 89514->89513 89515 7fffef9a5760 _RunAllParam 2 API calls 89514->89515 89521 7fffef98a4a7 _RunAllParam 89514->89521 89530 7fffef98a533 _RunAllParam 89514->89530 89515->89514 89517 7fffef98c326 _RunAllParam 89520 7fffef987770 _RunAllParam 3 API calls 89517->89520 89572 7fffef98c321 89517->89572 89518 7fffef9897d0 _RunAllParam 2 API calls 89533 7fffef98a62b 89518->89533 89519 7fffef988a60 _RunAllParam 2 API calls 89519->89513 89520->89572 89523 7fffef989ad0 _RunAllParam 2 API calls 89521->89523 89521->89530 89522 7fffef98aaeb 89526 7fffef98af9c 89522->89526 89527 7fffef98af7f GetTokenInformation 89522->89527 89523->89530 89524 7fffef9a5760 _RunAllParam 2 API calls 89525 7fffef98a92b 89524->89525 89525->89517 89525->89522 89525->89524 89534 7fffef98ab0d _RunAllParam 89525->89534 89543 7fffef98aaf6 _RunAllParam 89525->89543 89526->89517 89531 7fffef980150 _RunAllParam 2 API calls 89526->89531 89527->89526 89528 7fffef9897d0 _RunAllParam 2 API calls 89537 7fffef98aca3 89528->89537 89529 7fffef988a60 _RunAllParam 2 API calls 89529->89522 89530->89518 89546 7fffef98a766 _RunAllParam 89530->89546 89539 7fffef98afb9 _RunAllParam 89531->89539 89532 7fffef9a5760 _RunAllParam 2 API calls 89532->89533 89533->89513 89533->89532 89541 7fffef98a777 _RunAllParam 89533->89541 89533->89546 89536 7fffef989ad0 _RunAllParam 2 API calls 89534->89536 89534->89543 89535 7fffef9a5760 _RunAllParam 2 API calls 89535->89537 89536->89543 89537->89526 89537->89535 89547 7fffef98adf7 _RunAllParam 89537->89547 89554 7fffef98ade6 _RunAllParam 89537->89554 89538 7fffef98b608 GetTokenInformation 89538->89517 89542 7fffef98b632 89538->89542 89539->89538 89540 7fffef9a5760 _RunAllParam 2 API calls 89539->89540 89545 7fffef98b197 _RunAllParam 89539->89545 89560 7fffef98b223 _RunAllParam 89539->89560 89540->89539 89544 7fffef989ad0 _RunAllParam 2 API calls 89541->89544 89541->89546 89548 7fffef9a5760 _RunAllParam 2 API calls 89542->89548 89558 7fffef98bc3e 89542->89558 89563 7fffef98b7e7 _RunAllParam 89542->89563 89567 7fffef98b873 _RunAllParam 89542->89567 89543->89528 89543->89554 89544->89546 89553 7fffef989ad0 _RunAllParam 2 API calls 89545->89553 89545->89560 89546->89513 89546->89519 89551 7fffef989ad0 _RunAllParam 2 API calls 89547->89551 89547->89554 89548->89542 89549 7fffef988a60 _RunAllParam 2 API calls 89552 7fffef98b5ee 89549->89552 89550 7fffef9897d0 _RunAllParam 2 API calls 89561 7fffef98b31b 89550->89561 89551->89554 89552->89517 89552->89538 89553->89560 89554->89526 89554->89529 89555 7fffef9897d0 _RunAllParam 2 API calls 89569 7fffef98b96b 89555->89569 89556 7fffef988a60 _RunAllParam 2 API calls 89556->89558 89557 7fffef9a5760 _RunAllParam 2 API calls 89557->89561 89558->89517 89559 7fffef98c27a 89558->89559 89562 7fffef9a5760 _RunAllParam 2 API calls 89558->89562 89573 7fffef98be25 _RunAllParam 89558->89573 89582 7fffef98be14 _RunAllParam 89558->89582 89559->89517 89570 7fffef98c29e _RunAllParam 89559->89570 89560->89550 89580 7fffef98b456 _RunAllParam 89560->89580 89561->89517 89561->89557 89571 7fffef98b467 _RunAllParam 89561->89571 89561->89580 89562->89558 89564 7fffef989ad0 _RunAllParam 2 API calls 89563->89564 89563->89567 89564->89567 89565 7fffef988a60 _RunAllParam 2 API calls 89565->89559 89566 7fffef9897d0 _RunAllParam 2 API calls 89578 7fffef98bfab 89566->89578 89567->89555 89585 7fffef98baa6 _RunAllParam 89567->89585 89568 7fffef9a5760 _RunAllParam 2 API calls 89568->89569 89569->89517 89569->89568 89579 7fffef98bab7 _RunAllParam 89569->89579 89569->89585 89570->89572 89682 7fffef987770 89570->89682 89576 7fffef989ad0 _RunAllParam 2 API calls 89571->89576 89571->89580 89572->89425 89577 7fffef989ad0 _RunAllParam 2 API calls 89573->89577 89573->89582 89574 7fffef9a5760 _RunAllParam 2 API calls 89574->89578 89576->89580 89577->89582 89578->89517 89578->89574 89583 7fffef98c0f7 _RunAllParam 89578->89583 89586 7fffef98c0e6 _RunAllParam 89578->89586 89581 7fffef989ad0 _RunAllParam 2 API calls 89579->89581 89579->89585 89580->89517 89580->89549 89581->89585 89582->89566 89582->89586 89583->89517 89584 7fffef989ad0 _RunAllParam 2 API calls 89583->89584 89583->89586 89584->89586 89585->89517 89585->89556 89586->89517 89586->89565 89587->89425 89589 7fffef9800b0 _RunAllParam 2 API calls 89588->89589 89590 7fffef980294 89589->89590 89590->89448 89592 7fffef9a3607 _RunAllParam 89591->89592 89608 7fffef9a2e60 89592->89608 89594 7fffef9a3618 89594->89451 89646 7fffef9a26a0 89595->89646 89597 7fffef9a277a _RunAllParam 89597->89453 89599 7fffef980150 _RunAllParam 2 API calls 89598->89599 89600 7fffef9a2a94 89599->89600 89659 7fffef9a2810 89600->89659 89602 7fffef9a2aa4 89604 7fffef9a2abb _RunAllParam 89602->89604 89673 7fffef980330 LdrLoadDll FindNextFileW _RunAllParam 89602->89673 89604->89455 89606 7fffef989ad0 _RunAllParam 2 API calls 89605->89606 89607 7fffef96d428 89606->89607 89607->89461 89609 7fffef9a2e8b _RunAllParam 89608->89609 89610 7fffef989ad0 _RunAllParam 2 API calls 89609->89610 89613 7fffef9a2ed7 89610->89613 89611 7fffef9a312e 89612 7fffef98d730 _RunAllParam 2 API calls 89611->89612 89614 7fffef9a3136 _RunAllParam 89612->89614 89613->89611 89637 7fffef9a2f00 _RunAllParam 89613->89637 89615 7fffef989ad0 _RunAllParam 2 API calls 89614->89615 89626 7fffef9a3166 _RunAllParam 89614->89626 89624 7fffef9a3124 89615->89624 89616 7fffef9a32b9 89616->89594 89617 7fffef9a30b0 89618 7fffef989ad0 _RunAllParam 2 API calls 89617->89618 89619 7fffef9a30e1 _RunAllParam 89617->89619 89618->89619 89622 7fffef989ad0 _RunAllParam 2 API calls 89619->89622 89619->89626 89620 7fffef9a3164 RegCloseKey 89620->89626 89621 7fffef989ad0 LdrLoadDll FindNextFileW _RunAllParam 89621->89637 89622->89624 89623 7fffef9a2f56 RegCloseKey 89623->89637 89624->89620 89624->89626 89625 7fffef9a2fa4 RegEnumKeyW 89625->89617 89625->89637 89626->89616 89627 7fffef99ddc0 10 API calls 89626->89627 89628 7fffef9a31ff 89627->89628 89628->89616 89640 7fffef980180 89628->89640 89630 7fffef986180 _RunAllParam 2 API calls 89630->89637 89631 7fffef9a3216 89632 7fffef980280 2 API calls 89631->89632 89635 7fffef9a322f _RunAllParam 89632->89635 89633 7fffef9a3268 _RunAllParam 89636 7fffef9a2e60 10 API calls 89633->89636 89634 7fffef9a3013 RegOpenKeyExW 89634->89637 89635->89633 89645 7fffef986d80 LdrLoadDll FindNextFileW _RunAllParam 89635->89645 89638 7fffef9a329f _RunAllParam 89636->89638 89637->89617 89637->89621 89637->89623 89637->89625 89637->89630 89637->89634 89638->89594 89641 7fffef9800b0 _RunAllParam 2 API calls 89640->89641 89642 7fffef9801a3 89641->89642 89643 7fffef986df0 _RunAllParam 2 API calls 89642->89643 89644 7fffef9801b7 89643->89644 89644->89631 89645->89633 89648 7fffef9a26d0 89646->89648 89647 7fffef989ad0 _RunAllParam 2 API calls 89647->89648 89648->89647 89649 7fffef9a26ef RegEnumValueA 89648->89649 89652 7fffef984310 89648->89652 89649->89648 89650 7fffef9a2730 89649->89650 89650->89597 89653 7fffef984385 89652->89653 89654 7fffef98434b 89652->89654 89657 7fffef9843b9 _RunAllParam 89653->89657 89658 7fffef986d80 LdrLoadDll FindNextFileW _RunAllParam 89653->89658 89656 7fffef986df0 _RunAllParam 2 API calls 89654->89656 89656->89653 89657->89648 89658->89657 89660 7fffef9a283a 89659->89660 89661 7fffef9a282a 89659->89661 89660->89602 89661->89660 89662 7fffef989ad0 _RunAllParam 2 API calls 89661->89662 89663 7fffef9a2862 89662->89663 89664 7fffef9a2887 89663->89664 89665 7fffef9a2867 RegQueryValueExA 89663->89665 89666 7fffef9a288f 89664->89666 89667 7fffef980280 2 API calls 89664->89667 89665->89664 89666->89602 89668 7fffef9a28a6 89667->89668 89669 7fffef989ad0 _RunAllParam 2 API calls 89668->89669 89670 7fffef9a28b5 _RunAllParam 89669->89670 89671 7fffef9a28ea 89670->89671 89672 7fffef9a28cb RegQueryValueExA 89670->89672 89671->89602 89672->89671 89673->89604 89675 7fffef9875c1 89674->89675 89676 7fffef98762c 89674->89676 89675->89676 89677 7fffef989ad0 _RunAllParam 2 API calls 89675->89677 89676->89525 89679 7fffef9875db 89677->89679 89678 7fffef9875f0 89678->89525 89679->89678 89680 7fffef98d730 _RunAllParam 2 API calls 89679->89680 89681 7fffef987607 89680->89681 89681->89525 89683 7fffef9875b0 _RunAllParam 2 API calls 89682->89683 89684 7fffef98777e 89683->89684 89685 7fffef98779b 89684->89685 89686 7fffef989ad0 _RunAllParam 2 API calls 89684->89686 89685->89572 89687 7fffef987791 89686->89687 89687->89685 89688 7fffef987796 NtClose 89687->89688 89688->89685 89689 1ef82542978 89690 1ef82542986 89689->89690 89695 1ef82542060 VirtualAlloc 89690->89695 89692 1ef825429a2 89697 1ef82542264 89692->89697 89694 1ef825429ba 89696 1ef825420c4 89695->89696 89696->89692 89698 1ef8254230f 89697->89698 89699 1ef8254238c VirtualProtect 89697->89699 89698->89699 89700 1ef825423ee 89699->89700 89701 1ef8254244d VirtualProtect 89700->89701 89702 1ef82542544 89701->89702 89703 1ef82542507 VirtualProtect 89701->89703 89705 1ef8254258c RtlAvlRemoveNode 89702->89705 89706 1ef825425c5 89702->89706 89703->89702 89705->89706 89706->89694

                        Executed Functions

                        Function 00007FFFEF97BAE0 Relevance: 12.9, APIs: 2, Strings: 5, Instructions: 645nativethreadCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 0 7fffef97bae0-7fffef97bb64 call 7fffef989ad0 call 7fffef980150 * 2 call 7fffef97fcc0 9 7fffef97bc00-7fffef97bca1 call 7fffef980150 * 2 call 7fffef9890b0 call 7fffef980bc0 call 7fffef980e20 call 7fffef9806d0 call 7fffef980280 call 7fffef97fcb0 * 2 call 7fffef977fac call 7fffef97fcc0 call 7fffef97a7a0 0->9 10 7fffef97bb6a-7fffef97bb6f 0->10 57 7fffef97bca3-7fffef97bcaa 9->57 58 7fffef97bcac-7fffef97bcc0 call 7fffef97a7a0 9->58 12 7fffef97bb70-7fffef97bbf4 call 7fffef97fcb0 call 7fffef97fcc0 call 7fffef980280 call 7fffef97fcc0 call 7fffef97fcb0 * 2 call 7fffef97fcc0 call 7fffef980280 call 7fffef97fcc0 call 7fffef97fcb0 10->12 53 7fffef97bbfa 12->53 53->9 57->57 57->58 61 7fffef97bcc2-7fffef97bcc9 58->61 62 7fffef97bccb-7fffef97bcce 58->62 61->61 61->62 63 7fffef97bcd4-7fffef97bcd7 62->63 64 7fffef97bfe8-7fffef97c00f call 7fffef97fca0 * 2 call 7fffef97cf00 call 7fffef97fca0 62->64 63->64 66 7fffef97bcdd-7fffef97bd7f call 7fffef986d10 call 7fffef9a20e0 call 7fffef97c4d0 call 7fffef97fcc0 * 2 call 7fffef989ad0 * 2 63->66 81 7fffef97c011-7fffef97c02b 64->81 89 7fffef97bda2-7fffef97be69 call 7fffef989ad0 * 8 call 7fffef97c970 call 7fffef97aa70 66->89 90 7fffef97bd81-7fffef97bda0 NtReadVirtualMemory 66->90 111 7fffef97be9c-7fffef97bea0 89->111 112 7fffef97be6b 89->112 90->89 113 7fffef97bfd6-7fffef97bfe3 call 7fffef97c8b0 call 7fffef9a23c0 111->113 114 7fffef97bea6-7fffef97bea9 111->114 115 7fffef97be70-7fffef97be73 112->115 113->64 117 7fffef97bf40-7fffef97bf64 call 7fffef989ad0 * 2 114->117 118 7fffef97beaf-7fffef97becd call 7fffef97a8e0 call 7fffef97c970 114->118 119 7fffef97be75-7fffef97be94 call 7fffef98f150 call 7fffef97aa70 115->119 120 7fffef97be98 115->120 136 7fffef97c02c-7fffef97c041 call 7fffef97b960 117->136 137 7fffef97bf6a-7fffef97bf83 RtlQueueApcWow64Thread 117->137 118->117 138 7fffef97becf 118->138 119->115 135 7fffef97be96 119->135 120->111 135->111 144 7fffef97c046-7fffef97c048 136->144 137->136 139 7fffef97bf89-7fffef97bf9e call 7fffef97aa70 137->139 140 7fffef97bed0-7fffef97bee5 call 7fffef97aa70 138->140 151 7fffef97bfa0-7fffef97bfa3 139->151 152 7fffef97bfcc-7fffef97bfd0 139->152 153 7fffef97bf13-7fffef97bf17 140->153 154 7fffef97bee7-7fffef97beea 140->154 145 7fffef97c0bb-7fffef97c0e4 call 7fffef989ad0 144->145 146 7fffef97c04a 144->146 163 7fffef97c0e6-7fffef97c105 145->163 164 7fffef97c110-7fffef97c134 call 7fffef989ad0 * 2 145->164 150 7fffef97c050-7fffef97c065 call 7fffef97aa70 146->150 169 7fffef97c093-7fffef97c097 150->169 170 7fffef97c067-7fffef97c06a 150->170 157 7fffef97bfa5-7fffef97bfc4 call 7fffef98f150 call 7fffef97aa70 151->157 158 7fffef97bfc8 151->158 152->113 152->117 153->113 159 7fffef97bf1d-7fffef97bf3b call 7fffef97a8e0 call 7fffef97c970 153->159 160 7fffef97bf0f 154->160 161 7fffef97beec-7fffef97bf0b call 7fffef98f150 call 7fffef97aa70 154->161 157->151 192 7fffef97bfc6 157->192 158->152 159->140 193 7fffef97bf3d 159->193 160->153 161->154 189 7fffef97bf0d 161->189 163->113 183 7fffef97c10b 163->183 196 7fffef97c136-7fffef97c14b 164->196 197 7fffef97c19f-7fffef97c1d1 call 7fffef97fcc0 call 7fffef97fcb0 call 7fffef97b960 164->197 169->113 181 7fffef97c09d-7fffef97c0b9 call 7fffef97b960 169->181 176 7fffef97c08f 170->176 177 7fffef97c06c-7fffef97c08b call 7fffef98f150 call 7fffef97aa70 170->177 176->169 177->170 200 7fffef97c08d 177->200 181->145 181->150 183->164 189->153 192->152 193->117 196->197 203 7fffef97c14d-7fffef97c162 call 7fffef97aa70 196->203 214 7fffef97c25f-7fffef97c271 call 7fffef989ad0 197->214 215 7fffef97c1d7 197->215 200->169 209 7fffef97c164-7fffef97c167 203->209 210 7fffef97c190-7fffef97c194 203->210 212 7fffef97c18c 209->212 213 7fffef97c169-7fffef97c188 call 7fffef98f150 call 7fffef97aa70 209->213 210->164 216 7fffef97c19a 210->216 212->210 213->209 232 7fffef97c18a 213->232 225 7fffef97c273-7fffef97c291 214->225 226 7fffef97c297-7fffef97c301 call 7fffef980150 call 7fffef9802b0 * 2 call 7fffef989ad0 214->226 218 7fffef97c1e0-7fffef97c1f6 call 7fffef97aa70 215->218 216->113 228 7fffef97c224-7fffef97c228 218->228 229 7fffef97c1f8-7fffef97c1fb 218->229 225->113 225->226 254 7fffef97c303-7fffef97c318 226->254 255 7fffef97c320-7fffef97c34d call 7fffef97fcc0 call 7fffef97fcb0 call 7fffef97b960 226->255 228->113 231 7fffef97c22e-7fffef97c25d call 7fffef97fcc0 call 7fffef97fcb0 call 7fffef97b960 228->231 233 7fffef97c220 229->233 234 7fffef97c1fd-7fffef97c21c call 7fffef98f150 call 7fffef97aa70 229->234 231->214 231->218 232->210 233->228 234->229 251 7fffef97c21e 234->251 251->228 254->255 262 7fffef97c353 255->262 263 7fffef97c3e0-7fffef97c3f2 call 7fffef989ad0 255->263 264 7fffef97c360-7fffef97c376 call 7fffef97aa70 262->264 269 7fffef97c3f4-7fffef97c409 263->269 270 7fffef97c463-7fffef97c4c2 call 7fffef9a15d0 call 7fffef97fca0 call 7fffef97c8b0 call 7fffef9a23c0 call 7fffef97fca0 * 2 call 7fffef97cf00 call 7fffef97fca0 263->270 271 7fffef97c3a4-7fffef97c3ac 264->271 272 7fffef97c378-7fffef97c37b 264->272 269->270 282 7fffef97c40b-7fffef97c421 call 7fffef97aa70 269->282 270->81 277 7fffef97c3b2-7fffef97c3db call 7fffef97fcc0 call 7fffef97fcb0 call 7fffef97b960 271->277 278 7fffef97c459-7fffef97c45e call 7fffef97fca0 271->278 274 7fffef97c3a0 272->274 275 7fffef97c37d-7fffef97c39c call 7fffef98f150 call 7fffef97aa70 272->275 274->271 275->272 302 7fffef97c39e 275->302 277->264 309 7fffef97c3dd 277->309 278->113 297 7fffef97c423-7fffef97c426 282->297 298 7fffef97c44f-7fffef97c453 282->298 303 7fffef97c44b 297->303 304 7fffef97c428-7fffef97c447 call 7fffef98f150 call 7fffef97aa70 297->304 298->263 301 7fffef97c455 298->301 301->278 302->271 303->298 304->297 315 7fffef97c449 304->315 309->263 315->298
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000014.00000002.369557700.00007FFFEF941000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFFEF940000, based on PE: true
                        • Associated: 00000014.00000002.369546325.00007FFFEF940000.00000002.00000001.01000000.0000000B.sdmpDownload File
                        • Associated: 00000014.00000002.369619058.00007FFFEF9C3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                        • Associated: 00000014.00000002.369633096.00007FFFEF9D6000.00000004.00000001.01000000.0000000B.sdmpDownload File
                        • Associated: 00000014.00000002.369642757.00007FFFEF9D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_20_2_7fffef940000_MDMAppInstaller.jbxd
                        Yara matches
                        Similarity
                        • API ID: MemoryQueueReadThreadVirtualWow64
                        • String ID: S4$vfoR$vfoR$vfoR$vfoR
                        • API String ID: 3647366088-2269768260
                        • Opcode ID: 79070dd8448f94aa3401c1766446ffad0b9116e2b4d22f09ec69a9afdbb84340
                        • Instruction ID: f04d10c7aea593dde17fdb6964370ee85552defcf3c6ef134dca9af84d0fa060
                        • Opcode Fuzzy Hash: 79070dd8448f94aa3401c1766446ffad0b9116e2b4d22f09ec69a9afdbb84340
                        • Instruction Fuzzy Hash: F642B021A1A78245FA50EF61DC513BE62D1AF847F8F444231EA9E1B7DEEE3CE5058342
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFEF965F40 Relevance: 7.6, APIs: 5, Instructions: 146nativeCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Memory Dump Source
                        • Source File: 00000014.00000002.369557700.00007FFFEF941000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFFEF940000, based on PE: true
                        • Associated: 00000014.00000002.369546325.00007FFFEF940000.00000002.00000001.01000000.0000000B.sdmpDownload File
                        • Associated: 00000014.00000002.369619058.00007FFFEF9C3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                        • Associated: 00000014.00000002.369633096.00007FFFEF9D6000.00000004.00000001.01000000.0000000B.sdmpDownload File
                        • Associated: 00000014.00000002.369642757.00007FFFEF9D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_20_2_7fffef940000_MDMAppInstaller.jbxd
                        Yara matches
                        Similarity
                        • API ID: Section$DuplicateObjectView$CreateUnmap
                        • String ID:
                        • API String ID: 1515463610-0
                        • Opcode ID: a5919fb316de3a9be91a3605f9f80e2e516974f32a94f7bd66c9f9dfdf12f777
                        • Instruction ID: 9f8e17891673d317c274a045cd7feddcd78034e38920e67321edd8c6414bb2a1
                        • Opcode Fuzzy Hash: a5919fb316de3a9be91a3605f9f80e2e516974f32a94f7bd66c9f9dfdf12f777
                        • Instruction Fuzzy Hash: FE51BE72A147918AEB50CF65A8803AE37E0FB453A8F144235EEAE1BBD9DF38C450C741
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFEF97C4D0 Relevance: 7.6, APIs: 5, Instructions: 136nativeCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • CreateFileMappingW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?,?), ref: 00007FFFEF97C543
                        • NtMapViewOfSection.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?,?), ref: 00007FFFEF97C5D5
                        • NtUnmapViewOfSection.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?,?), ref: 00007FFFEF97C61F
                        • NtDuplicateObject.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?,?), ref: 00007FFFEF97C65B
                        • NtDuplicateObject.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?,?), ref: 00007FFFEF97C6B5
                        Memory Dump Source
                        • Source File: 00000014.00000002.369557700.00007FFFEF941000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFFEF940000, based on PE: true
                        • Associated: 00000014.00000002.369546325.00007FFFEF940000.00000002.00000001.01000000.0000000B.sdmpDownload File
                        • Associated: 00000014.00000002.369619058.00007FFFEF9C3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                        • Associated: 00000014.00000002.369633096.00007FFFEF9D6000.00000004.00000001.01000000.0000000B.sdmpDownload File
                        • Associated: 00000014.00000002.369642757.00007FFFEF9D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_20_2_7fffef940000_MDMAppInstaller.jbxd
                        Yara matches
                        Similarity
                        • API ID: DuplicateObjectSectionView$CreateFileMappingUnmap
                        • String ID:
                        • API String ID: 640117302-0
                        • Opcode ID: 1a5b227e8df65a2a7581192521af3e96d23f24937b37de4b67eef808c310aa91
                        • Instruction ID: 289f93e7120a5645e2e9ca48d990b7cc0ea607bdae3bd3ebcb4978bb7651fdd6
                        • Opcode Fuzzy Hash: 1a5b227e8df65a2a7581192521af3e96d23f24937b37de4b67eef808c310aa91
                        • Instruction Fuzzy Hash: F0518A62A0978185EA209F55A8412AFB6D1EB857B4F184739EEEE07BD9DF3CD400C702
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFEF975CD0 Relevance: 7.6, APIs: 5, Instructions: 117memorynativethreadCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Memory Dump Source
                        • Source File: 00000014.00000002.369557700.00007FFFEF941000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFFEF940000, based on PE: true
                        • Associated: 00000014.00000002.369546325.00007FFFEF940000.00000002.00000001.01000000.0000000B.sdmpDownload File
                        • Associated: 00000014.00000002.369619058.00007FFFEF9C3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                        • Associated: 00000014.00000002.369633096.00007FFFEF9D6000.00000004.00000001.01000000.0000000B.sdmpDownload File
                        • Associated: 00000014.00000002.369642757.00007FFFEF9D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_20_2_7fffef940000_MDMAppInstaller.jbxd
                        Yara matches
                        Similarity
                        • API ID: ProtectVirtual$CloseContinueCreateHandlerThreadUserVectored
                        • String ID:
                        • API String ID: 238847861-0
                        • Opcode ID: 05735a28f3e0b71d633d86495be0ff456b8aca840665f888ab55937f3f5ee976
                        • Instruction ID: 6397a8cfe7ea4483b4e543450ed5a38b3e264c9c99456e85dd231fd2b9a042b4
                        • Opcode Fuzzy Hash: 05735a28f3e0b71d633d86495be0ff456b8aca840665f888ab55937f3f5ee976
                        • Instruction Fuzzy Hash: F751F3727197418AE7A49F70A8803AE36D2EB85768F544139EA8F0BBDDDF39D401C702
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFEF97CB00 Relevance: 6.1, APIs: 4, Instructions: 110threadprocessCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Memory Dump Source
                        • Source File: 00000014.00000002.369557700.00007FFFEF941000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFFEF940000, based on PE: true
                        • Associated: 00000014.00000002.369546325.00007FFFEF940000.00000002.00000001.01000000.0000000B.sdmpDownload File
                        • Associated: 00000014.00000002.369619058.00007FFFEF9C3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                        • Associated: 00000014.00000002.369633096.00007FFFEF9D6000.00000004.00000001.01000000.0000000B.sdmpDownload File
                        • Associated: 00000014.00000002.369642757.00007FFFEF9D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_20_2_7fffef940000_MDMAppInstaller.jbxd
                        Yara matches
                        Similarity
                        • API ID: Thread32$CreateFirstNextProcessSnapshotToolhelp32
                        • String ID:
                        • API String ID: 1399924146-0
                        • Opcode ID: d294321f0bac92b727a530855e5672fad18f4f4f34fc753bd52d168ef6815d03
                        • Instruction ID: b8aec96462ab26ac3626db22af418897e779e27c6133574dc91159a59bde9253
                        • Opcode Fuzzy Hash: d294321f0bac92b727a530855e5672fad18f4f4f34fc753bd52d168ef6815d03
                        • Instruction Fuzzy Hash: CF418222A2D78295E7649F2498413BE66D1EFC4790F584431EACE476DDEE2CE500C702
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFEF98A2C0 Relevance: 5.0, APIs: 2, Instructions: 2002COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000014.00000002.369557700.00007FFFEF941000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFFEF940000, based on PE: true
                        • Associated: 00000014.00000002.369546325.00007FFFEF940000.00000002.00000001.01000000.0000000B.sdmpDownload File
                        • Associated: 00000014.00000002.369619058.00007FFFEF9C3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                        • Associated: 00000014.00000002.369633096.00007FFFEF9D6000.00000004.00000001.01000000.0000000B.sdmpDownload File
                        • Associated: 00000014.00000002.369642757.00007FFFEF9D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_20_2_7fffef940000_MDMAppInstaller.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 5e3f181cfd2f9f10335a9a74ff9f7ada906af1f2bcd8cced6cefd86a722370a2
                        • Instruction ID: 39698e6e33588d80f424e30f03af4b23122b14eb69433d6cb2d1069ddb4710bd
                        • Opcode Fuzzy Hash: 5e3f181cfd2f9f10335a9a74ff9f7ada906af1f2bcd8cced6cefd86a722370a2
                        • Instruction Fuzzy Hash: 89039C22A187C682EA559F15D8403BD67E1FB85BA8F584032CA8E4B7DDDF3CE545C342
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFEF99ED10 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 108COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1513 7fffef99ed10-7fffef99ed37 call 7fffef99ddc0 1516 7fffef99ed39-7fffef99ed3c 1513->1516 1517 7fffef99ed3f-7fffef99ed51 call 7fffef989ad0 1513->1517 1516->1517 1520 7fffef99eda4-7fffef99eda8 1517->1520 1521 7fffef99ed53-7fffef99ed76 FindFirstFileExW 1517->1521 1522 7fffef99edaa-7fffef99edb0 1520->1522 1523 7fffef99edd1 1520->1523 1524 7fffef99ed78-7fffef99ed7e 1521->1524 1525 7fffef99ed9f-7fffef99eda2 1521->1525 1522->1523 1527 7fffef99edb2-7fffef99edb6 1522->1527 1526 7fffef99edd8-7fffef99ede2 1523->1526 1524->1525 1528 7fffef99ed80-7fffef99ed84 1524->1528 1525->1526 1530 7fffef99ee4d-7fffef99ee58 call 7fffef98d730 1526->1530 1531 7fffef99ede4-7fffef99ede8 1526->1531 1527->1523 1529 7fffef99edb8-7fffef99edca call 7fffef989ad0 1527->1529 1528->1525 1532 7fffef99ed86-7fffef99ed98 call 7fffef989ad0 1528->1532 1529->1523 1547 7fffef99edcc 1529->1547 1548 7fffef99ee5a 1530->1548 1549 7fffef99ee61-7fffef99ee72 1530->1549 1531->1530 1533 7fffef99edea-7fffef99edef 1531->1533 1532->1525 1544 7fffef99ed9a 1532->1544 1537 7fffef99ee1e-7fffef99ee2c 1533->1537 1538 7fffef99edf1-7fffef99edf8 1533->1538 1545 7fffef99ee2e-7fffef99ee30 1537->1545 1546 7fffef99ee32-7fffef99ee35 1537->1546 1542 7fffef99ee07-7fffef99ee18 1538->1542 1543 7fffef99edfa-7fffef99edfe 1538->1543 1542->1537 1543->1537 1550 7fffef99ee00-7fffef99ee05 1543->1550 1544->1525 1545->1546 1551 7fffef99ee3b-7fffef99ee4c 1545->1551 1546->1542 1552 7fffef99ee37-7fffef99ee39 1546->1552 1547->1523 1548->1549 1550->1537 1550->1542 1552->1542 1552->1551
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000014.00000002.369557700.00007FFFEF941000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFFEF940000, based on PE: true
                        • Associated: 00000014.00000002.369546325.00007FFFEF940000.00000002.00000001.01000000.0000000B.sdmpDownload File
                        • Associated: 00000014.00000002.369619058.00007FFFEF9C3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                        • Associated: 00000014.00000002.369633096.00007FFFEF9D6000.00000004.00000001.01000000.0000000B.sdmpDownload File
                        • Associated: 00000014.00000002.369642757.00007FFFEF9D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_20_2_7fffef940000_MDMAppInstaller.jbxd
                        Yara matches
                        Similarity
                        • API ID: FileFindFirst
                        • String ID: .
                        • API String ID: 1974802433-248832578
                        • Opcode ID: ff81af2d261303690ea493e3242ce8d1552905d18e62b81d1f6e499c765c4368
                        • Instruction ID: 9c9109d33980ce6c4be49ac520b5782ed702abb4b234991ade9506f52e8a6529
                        • Opcode Fuzzy Hash: ff81af2d261303690ea493e3242ce8d1552905d18e62b81d1f6e499c765c4368
                        • Instruction Fuzzy Hash: CF41B521A0868142EB656F34D90037D23D1EB44BB8F198675DAAD077ECDF6CE886C362
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFEF97AA70 Relevance: 3.5, APIs: 2, Instructions: 521COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1582 7fffef97aa70-7fffef97aaa5 call 7fffef97cb00 call 7fffef97fcd0 1587 7fffef97aac6-7fffef97ab0e call 7fffef97fcc0 1582->1587 1588 7fffef97aaa7-7fffef97aac5 call 7fffef97fca0 1582->1588 1593 7fffef97ab14-7fffef97ab21 1587->1593 1594 7fffef97acbf-7fffef97acd4 call 7fffef97fcc0 1587->1594 1595 7fffef97ab25-7fffef97ab48 call 7fffef97fcb0 call 7fffef97fcc0 1593->1595 1599 7fffef97acda-7fffef97acdd 1594->1599 1600 7fffef97adf9-7fffef97ae07 call 7fffef97fca0 1594->1600 1609 7fffef97ab7b-7fffef97ab86 call 7fffef97fcc0 1595->1609 1610 7fffef97ab4a 1595->1610 1602 7fffef97ace0-7fffef97ad03 call 7fffef97fcb0 call 7fffef97fcc0 1599->1602 1611 7fffef97af94-7fffef97afdf call 7fffef980150 * 2 call 7fffef97fcc0 1600->1611 1612 7fffef97ae0d-7fffef97ae21 call 7fffef97fcc0 1600->1612 1627 7fffef97ad05 1602->1627 1628 7fffef97ad38-7fffef97ad4d call 7fffef989ad0 1602->1628 1623 7fffef97abdd-7fffef97abf2 call 7fffef989ad0 1609->1623 1624 7fffef97ab88-7fffef97ab93 call 7fffef97fcc0 1609->1624 1615 7fffef97ab50-7fffef97ab68 call 7fffef97fcb0 1610->1615 1659 7fffef97afe5 1611->1659 1660 7fffef97b167-7fffef97b17c call 7fffef989ad0 1611->1660 1612->1611 1626 7fffef97ae27 1612->1626 1635 7fffef97ab72-7fffef97ab75 1615->1635 1636 7fffef97ab6a-7fffef97ab6e 1615->1636 1648 7fffef97ac05-7fffef97ac11 call 7fffef97fcc0 1623->1648 1649 7fffef97abf4-7fffef97ac00 call 7fffef97fcb0 1623->1649 1650 7fffef97ab95-7fffef97abc5 call 7fffef97fcc0 call 7fffef97fcb0 * 2 call 7fffef986d80 1624->1650 1651 7fffef97abca-7fffef97abd8 call 7fffef97fcc0 call 7fffef980280 1624->1651 1633 7fffef97ae30-7fffef97ae45 call 7fffef97fcb0 1626->1633 1634 7fffef97ad10-7fffef97ad25 call 7fffef97fcb0 1627->1634 1646 7fffef97ad53-7fffef97ad71 call 7fffef97fcb0 1628->1646 1647 7fffef97add9-7fffef97adf3 call 7fffef97fcc0 1628->1647 1661 7fffef97ae54-7fffef97ae58 1633->1661 1662 7fffef97ae47-7fffef97ae4d 1633->1662 1665 7fffef97ad2f-7fffef97ad32 1634->1665 1666 7fffef97ad27-7fffef97ad2b 1634->1666 1635->1609 1645 7fffef97ac89 1635->1645 1636->1615 1644 7fffef97ab70 1636->1644 1644->1609 1655 7fffef97ac8c-7fffef97acb6 call 7fffef97fcc0 1645->1655 1646->1647 1698 7fffef97ad73-7fffef97add7 call 7fffef97fcc0 call 7fffef980280 call 7fffef97fcc0 call 7fffef97fcb0 * 2 call 7fffef97fcc0 call 7fffef980280 call 7fffef97fcc0 call 7fffef97fcb0 1646->1698 1647->1600 1647->1602 1684 7fffef97ac13-7fffef97ac21 call 7fffef97fcc0 1648->1684 1685 7fffef97ac6e-7fffef97ac87 1648->1685 1649->1648 1650->1651 1651->1623 1655->1595 1687 7fffef97acbc 1655->1687 1676 7fffef97aff0-7fffef97b006 call 7fffef989ad0 1659->1676 1689 7fffef97b1d1-7fffef97b205 call 7fffef97fcb0 * 2 call 7fffef97cf00 1660->1689 1690 7fffef97b17e-7fffef97b1b0 call 7fffef97fcb0 call 7fffef97fcc0 1660->1690 1661->1611 1678 7fffef97ae5e-7fffef97ae72 call 7fffef97fcc0 1661->1678 1662->1633 1677 7fffef97ae4f 1662->1677 1665->1628 1665->1647 1666->1634 1673 7fffef97ad2d 1666->1673 1673->1628 1700 7fffef97b00c-7fffef97b020 1676->1700 1701 7fffef97b1b9-7fffef97b1cf call 7fffef97cf00 * 2 1676->1701 1677->1611 1703 7fffef97ae74-7fffef97ae83 call 7fffef97fcc0 1678->1703 1704 7fffef97aed0-7fffef97aedf call 7fffef97fcc0 1678->1704 1706 7fffef97ac23-7fffef97ac54 call 7fffef97fcc0 call 7fffef97fcb0 * 2 call 7fffef986d80 1684->1706 1707 7fffef97ac59-7fffef97ac69 call 7fffef97fcc0 call 7fffef980280 1684->1707 1685->1655 1687->1594 1751 7fffef97b20a-7fffef97b213 call 7fffef97cf00 1689->1751 1690->1701 1762 7fffef97b1b2-7fffef97b1b7 1690->1762 1698->1647 1700->1701 1732 7fffef97b026-7fffef97b02a 1700->1732 1750 7fffef97b216-7fffef97b24f 1701->1750 1733 7fffef97ae85-7fffef97aeb6 call 7fffef97fcc0 call 7fffef97fcb0 * 2 call 7fffef986d80 1703->1733 1734 7fffef97aebb-7fffef97aecb call 7fffef97fcc0 call 7fffef980280 1703->1734 1726 7fffef97aee1-7fffef97aef0 call 7fffef97fcc0 1704->1726 1727 7fffef97af38-7fffef97af92 call 7fffef97fcc0 call 7fffef980280 call 7fffef97fcc0 call 7fffef97fcb0 call 7fffef97fcc0 call 7fffef980280 call 7fffef97fcc0 call 7fffef97fcb0 1704->1727 1706->1707 1707->1685 1757 7fffef97af25-7fffef97af33 call 7fffef97fcc0 call 7fffef980280 1726->1757 1758 7fffef97aef2-7fffef97af20 call 7fffef97fcc0 call 7fffef97fcb0 * 2 call 7fffef986d80 1726->1758 1727->1611 1732->1701 1741 7fffef97b030-7fffef97b06f call 7fffef97fcc0 call 7fffef980280 call 7fffef97fcc0 call 7fffef97fcb0 call 7fffef989ad0 1732->1741 1733->1734 1734->1704 1807 7fffef97b071-7fffef97b095 NtDuplicateObject 1741->1807 1808 7fffef97b09b-7fffef97b0a2 1741->1808 1751->1750 1757->1727 1758->1757 1762->1689 1762->1701 1807->1701 1807->1808 1808->1701 1811 7fffef97b0a8-7fffef97b0ac 1808->1811 1811->1701 1814 7fffef97b0b2-7fffef97b0e8 call 7fffef97fcc0 call 7fffef980280 call 7fffef97fcc0 call 7fffef97fcb0 1811->1814 1814->1676 1827 7fffef97b0ee-7fffef97b0f1 1814->1827 1827->1660 1828 7fffef97b0f3-7fffef97b0f9 1827->1828 1829 7fffef97b100-7fffef97b142 call 7fffef97fcb0 * 2 call 7fffef989ad0 * 2 1828->1829 1838 7fffef97b144-7fffef97b155 RtlQueueApcWow64Thread 1829->1838 1839 7fffef97b157-7fffef97b15d 1829->1839 1838->1839 1839->1829 1840 7fffef97b15f-7fffef97b163 1839->1840 1840->1660
                        Memory Dump Source
                        • Source File: 00000014.00000002.369557700.00007FFFEF941000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFFEF940000, based on PE: true
                        • Associated: 00000014.00000002.369546325.00007FFFEF940000.00000002.00000001.01000000.0000000B.sdmpDownload File
                        • Associated: 00000014.00000002.369619058.00007FFFEF9C3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                        • Associated: 00000014.00000002.369633096.00007FFFEF9D6000.00000004.00000001.01000000.0000000B.sdmpDownload File
                        • Associated: 00000014.00000002.369642757.00007FFFEF9D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_20_2_7fffef940000_MDMAppInstaller.jbxd
                        Yara matches
                        Similarity
                        • API ID: Thread32$CreateFirstNextProcessSnapshotToolhelp32
                        • String ID:
                        • API String ID: 1399924146-0
                        • Opcode ID: 834109a297285b3c71215d82564d5db0d44c9963ad1666fc9e5e0ec73651e69e
                        • Instruction ID: c63311c7de66a949bbcdcce16424186d5de7d0c5dfaa6c986656910a3a81a6b7
                        • Opcode Fuzzy Hash: 834109a297285b3c71215d82564d5db0d44c9963ad1666fc9e5e0ec73651e69e
                        • Instruction Fuzzy Hash: 46229F26B0A64246FA20EF21E8513BD63D1FF847A8F444135DA8E577DAEE3CE505C382
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFEF97CE20 Relevance: 3.1, APIs: 2, Instructions: 55nativeCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000014.00000002.369557700.00007FFFEF941000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFFEF940000, based on PE: true
                        • Associated: 00000014.00000002.369546325.00007FFFEF940000.00000002.00000001.01000000.0000000B.sdmpDownload File
                        • Associated: 00000014.00000002.369619058.00007FFFEF9C3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                        • Associated: 00000014.00000002.369633096.00007FFFEF9D6000.00000004.00000001.01000000.0000000B.sdmpDownload File
                        • Associated: 00000014.00000002.369642757.00007FFFEF9D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_20_2_7fffef940000_MDMAppInstaller.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseDuplicateObject
                        • String ID:
                        • API String ID: 2007153175-0
                        • Opcode ID: f9da89d3507db4a1887d6450d231f2242fa1c5688a04162f854e641ab81b31cc
                        • Instruction ID: da0b6eb3be6f7a596bb01dc9784b4426286c0a47da9567edcee1ccc210ffdecd
                        • Opcode Fuzzy Hash: f9da89d3507db4a1887d6450d231f2242fa1c5688a04162f854e641ab81b31cc
                        • Instruction Fuzzy Hash: C0119031A1978946EA10DF51A54136E7291EB84BE0F084235EE9E17BCDDF3CD400CB46
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFEF99DDC0 Relevance: 2.4, APIs: 1, Instructions: 882COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000014.00000002.369557700.00007FFFEF941000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFFEF940000, based on PE: true
                        • Associated: 00000014.00000002.369546325.00007FFFEF940000.00000002.00000001.01000000.0000000B.sdmpDownload File
                        • Associated: 00000014.00000002.369619058.00007FFFEF9C3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                        • Associated: 00000014.00000002.369633096.00007FFFEF9D6000.00000004.00000001.01000000.0000000B.sdmpDownload File
                        • Associated: 00000014.00000002.369642757.00007FFFEF9D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_20_2_7fffef940000_MDMAppInstaller.jbxd
                        Yara matches
                        Similarity
                        • API ID: InfoSystem
                        • String ID:
                        • API String ID: 31276548-0
                        • Opcode ID: d865aafef4abeeda741963791a5c8816191fe4801083d7ca403ac3fcd0a015d3
                        • Instruction ID: 2af5f9bb91ae618b455aaf5495cd556f4c52aea4ecc7b3b6fd01a3c31c264c64
                        • Opcode Fuzzy Hash: d865aafef4abeeda741963791a5c8816191fe4801083d7ca403ac3fcd0a015d3
                        • Instruction Fuzzy Hash: 3A82BD62A0878282EB659F25D8403BD67E0FB85BA4F598476CA8D077EDDF3CE444C352
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFEF98CA50 Relevance: 2.3, APIs: 1, Instructions: 784COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000014.00000002.369557700.00007FFFEF941000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFFEF940000, based on PE: true
                        • Associated: 00000014.00000002.369546325.00007FFFEF940000.00000002.00000001.01000000.0000000B.sdmpDownload File
                        • Associated: 00000014.00000002.369619058.00007FFFEF9C3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                        • Associated: 00000014.00000002.369633096.00007FFFEF9D6000.00000004.00000001.01000000.0000000B.sdmpDownload File
                        • Associated: 00000014.00000002.369642757.00007FFFEF9D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_20_2_7fffef940000_MDMAppInstaller.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 5bccb5b6955ed9ec30ef0630396ab279aebbaaecab2cfa1876175928a4d7afc1
                        • Instruction ID: 4f90223c0c025646f90a97eb5ebdf86af446ffe561d862eba4cc6980ec3a91ad
                        • Opcode Fuzzy Hash: 5bccb5b6955ed9ec30ef0630396ab279aebbaaecab2cfa1876175928a4d7afc1
                        • Instruction Fuzzy Hash: CE728A62A287C281EB259F15D8403BD67E1FB45BA8F944032CA8E477DDDF38E944C342
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFEF98F150 Relevance: 1.9, APIs: 1, Instructions: 438nativeCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000014.00000002.369557700.00007FFFEF941000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFFEF940000, based on PE: true
                        • Associated: 00000014.00000002.369546325.00007FFFEF940000.00000002.00000001.01000000.0000000B.sdmpDownload File
                        • Associated: 00000014.00000002.369619058.00007FFFEF9C3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                        • Associated: 00000014.00000002.369633096.00007FFFEF9D6000.00000004.00000001.01000000.0000000B.sdmpDownload File
                        • Associated: 00000014.00000002.369642757.00007FFFEF9D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_20_2_7fffef940000_MDMAppInstaller.jbxd
                        Yara matches
                        Similarity
                        • API ID: DelayExecution
                        • String ID:
                        • API String ID: 1249177460-0
                        • Opcode ID: ee46e041127c6ad28bfb1b8d21f2a5045cdff47425997b2929b65cae048b17d9
                        • Instruction ID: 849221a8df9976def6904f77b4d7e98c0b547025b4293d232bf36e3c3da6d300
                        • Opcode Fuzzy Hash: ee46e041127c6ad28bfb1b8d21f2a5045cdff47425997b2929b65cae048b17d9
                        • Instruction Fuzzy Hash: BC129F22A187C582EB248F15E8403BD67E4FB85BA8F585036CA8E1B7D9DF3CE445C342
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFEF9AD520 Relevance: 1.7, APIs: 1, Instructions: 237nativeCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000014.00000002.369557700.00007FFFEF941000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFFEF940000, based on PE: true
                        • Associated: 00000014.00000002.369546325.00007FFFEF940000.00000002.00000001.01000000.0000000B.sdmpDownload File
                        • Associated: 00000014.00000002.369619058.00007FFFEF9C3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                        • Associated: 00000014.00000002.369633096.00007FFFEF9D6000.00000004.00000001.01000000.0000000B.sdmpDownload File
                        • Associated: 00000014.00000002.369642757.00007FFFEF9D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_20_2_7fffef940000_MDMAppInstaller.jbxd
                        Yara matches
                        Similarity
                        • API ID: InformationQuerySystem
                        • String ID:
                        • API String ID: 3562636166-0
                        • Opcode ID: b768d88cb62ac93967b26eb5618103c9613037b14c3b578c88e657aa7c785ad8
                        • Instruction ID: e1cd54783236c4f42a3086925f6c655bb5f871015c89c2d21825e3709702342a
                        • Opcode Fuzzy Hash: b768d88cb62ac93967b26eb5618103c9613037b14c3b578c88e657aa7c785ad8
                        • Instruction Fuzzy Hash: 6AB16B36B05A829AE754EF25D9403AE33E4FB847A8F445036DA8E47BD9DF38E424C701
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFEF9897D0 Relevance: 1.7, APIs: 1, Instructions: 185libraryloaderCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000014.00000002.369557700.00007FFFEF941000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFFEF940000, based on PE: true
                        • Associated: 00000014.00000002.369546325.00007FFFEF940000.00000002.00000001.01000000.0000000B.sdmpDownload File
                        • Associated: 00000014.00000002.369619058.00007FFFEF9C3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                        • Associated: 00000014.00000002.369633096.00007FFFEF9D6000.00000004.00000001.01000000.0000000B.sdmpDownload File
                        • Associated: 00000014.00000002.369642757.00007FFFEF9D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_20_2_7fffef940000_MDMAppInstaller.jbxd
                        Yara matches
                        Similarity
                        • API ID: FileFindLoadNext
                        • String ID:
                        • API String ID: 50669962-0
                        • Opcode ID: b022b4422caff96e9d1025a852846c3ee55090d35a1b8134f031eb11976aa1e5
                        • Instruction ID: 2c40acb165691ef479e6db6d5b2d5d3268f70a759e5e032d66f1774fffeb9b80
                        • Opcode Fuzzy Hash: b022b4422caff96e9d1025a852846c3ee55090d35a1b8134f031eb11976aa1e5
                        • Instruction Fuzzy Hash: D0814C22A285C292EB54EF61E8513BE63A5EFD5764F804131EA8E07ADFEE3CD505C701
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFEF987770 Relevance: 1.5, APIs: 1, Instructions: 17nativeCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000014.00000002.369557700.00007FFFEF941000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFFEF940000, based on PE: true
                        • Associated: 00000014.00000002.369546325.00007FFFEF940000.00000002.00000001.01000000.0000000B.sdmpDownload File
                        • Associated: 00000014.00000002.369619058.00007FFFEF9C3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                        • Associated: 00000014.00000002.369633096.00007FFFEF9D6000.00000004.00000001.01000000.0000000B.sdmpDownload File
                        • Associated: 00000014.00000002.369642757.00007FFFEF9D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_20_2_7fffef940000_MDMAppInstaller.jbxd
                        Yara matches
                        Similarity
                        • API ID: Close
                        • String ID:
                        • API String ID: 3535843008-0
                        • Opcode ID: 860ba978492d36cdfe31f6537ec1931d4b76ea568ca190dfd252f9a33af48d82
                        • Instruction ID: 485e85a23cffe564b72ea028ccd11e86a039b3b2e2eff9aee97cd7c4bb1e7b5f
                        • Opcode Fuzzy Hash: 860ba978492d36cdfe31f6537ec1931d4b76ea568ca190dfd252f9a33af48d82
                        • Instruction Fuzzy Hash: 4CD05E51A3568141FF646FA1E9427BC12D08F99724F484030CEDE0A3CEEF2C9881C323
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFEF9A2E60 Relevance: 6.3, APIs: 4, Instructions: 289registryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 447 7fffef9a2e60-7fffef9a2e89 448 7fffef9a2e8b-7fffef9a2e93 447->448 449 7fffef9a2e95 447->449 448->449 450 7fffef9a2e9a-7fffef9a2ec3 call 7fffef981a90 448->450 449->450 453 7fffef9a2ec8-7fffef9a2eda call 7fffef989ad0 450->453 454 7fffef9a2ec5 450->454 457 7fffef9a312e 453->457 458 7fffef9a2ee0-7fffef9a2ef0 453->458 454->453 459 7fffef9a3131-7fffef9a3145 call 7fffef98d730 call 7fffef980e20 457->459 458->459 463 7fffef9a2ef6-7fffef9a2efa 458->463 468 7fffef9a3147-7fffef9a314b 459->468 469 7fffef9a3166-7fffef9a3175 459->469 463->459 465 7fffef9a2f00-7fffef9a2f21 call 7fffef97fcc0 463->465 472 7fffef9a2f27-7fffef9a2f2c 465->472 473 7fffef9a30b5-7fffef9a30c1 465->473 468->469 471 7fffef9a314d-7fffef9a315f call 7fffef989ad0 468->471 474 7fffef9a3177-7fffef9a317b 469->474 475 7fffef9a3181-7fffef9a3199 call 7fffef97fcb0 469->475 471->469 492 7fffef9a3161 471->492 480 7fffef9a2f30-7fffef9a2f3a 472->480 477 7fffef9a30f3-7fffef9a310d call 7fffef980e20 473->477 478 7fffef9a30c3-7fffef9a30ca 473->478 474->475 481 7fffef9a32b9-7fffef9a32d0 474->481 475->481 489 7fffef9a319f-7fffef9a31ad 475->489 477->469 498 7fffef9a310f-7fffef9a3113 477->498 478->477 483 7fffef9a30cc-7fffef9a30d0 478->483 486 7fffef9a2f3c-7fffef9a2f40 480->486 487 7fffef9a2f5f-7fffef9a2f88 call 7fffef97fcb0 480->487 483->477 490 7fffef9a30d2-7fffef9a30e4 call 7fffef989ad0 483->490 486->487 493 7fffef9a2f42-7fffef9a2f54 call 7fffef989ad0 486->493 501 7fffef9a2f90-7fffef9a2fa2 call 7fffef989ad0 487->501 495 7fffef9a31bb-7fffef9a31cc call 7fffef97fcc0 489->495 496 7fffef9a31af-7fffef9a31b5 489->496 508 7fffef9a30eb 490->508 509 7fffef9a30e6 490->509 499 7fffef9a3164 RegCloseKey 492->499 511 7fffef9a2f5b 493->511 512 7fffef9a2f56-7fffef9a2f59 RegCloseKey 493->512 514 7fffef9a31f8-7fffef9a3203 call 7fffef99ddc0 495->514 515 7fffef9a31ce 495->515 496->481 496->495 498->469 504 7fffef9a3115-7fffef9a3127 call 7fffef989ad0 498->504 499->469 518 7fffef9a2fc0-7fffef9a2fea call 7fffef983300 call 7fffef986180 call 7fffef980e20 501->518 519 7fffef9a2fa4-7fffef9a2fba RegEnumKeyW 501->519 504->469 517 7fffef9a3129-7fffef9a312c 504->517 508->477 509->508 511->487 512->511 514->481 526 7fffef9a3209-7fffef9a3234 call 7fffef980180 call 7fffef97fcc0 call 7fffef980280 514->526 520 7fffef9a31d0-7fffef9a31e5 call 7fffef97fcb0 515->520 517->499 541 7fffef9a2fec-7fffef9a2ff3 518->541 542 7fffef9a2ff5-7fffef9a3011 call 7fffef989ad0 518->542 519->518 523 7fffef9a30b2 519->523 531 7fffef9a31e7-7fffef9a31eb 520->531 532 7fffef9a31ef-7fffef9a31f2 520->532 523->473 546 7fffef9a3268-7fffef9a32b8 call 7fffef97fcb0 call 7fffef9a2e60 call 7fffef97fca0 526->546 547 7fffef9a3236-7fffef9a3263 call 7fffef97fcb0 * 2 call 7fffef986d80 526->547 531->520 535 7fffef9a31ed 531->535 532->481 532->514 535->514 541->501 548 7fffef9a303f 542->548 549 7fffef9a3013-7fffef9a303d RegOpenKeyExW 542->549 547->546 553 7fffef9a3041-7fffef9a3059 call 7fffef981180 548->553 549->553 562 7fffef9a305b-7fffef9a306c call 7fffef981b60 553->562 563 7fffef9a3071-7fffef9a308d call 7fffef981ab0 553->563 562->563 563->473 569 7fffef9a308f-7fffef9a3093 563->569 569->473 570 7fffef9a3095-7fffef9a30aa 569->570 570->480 571 7fffef9a30b0 570->571 571->473
                        APIs
                        • RegCloseKey.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,80000002), ref: 00007FFFEF9A2F59
                        • RegEnumKeyW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,80000002), ref: 00007FFFEF9A2FB4
                        • RegOpenKeyExW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,80000002), ref: 00007FFFEF9A3039
                        • RegCloseKey.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,80000002,?), ref: 00007FFFEF9A3164
                        Memory Dump Source
                        • Source File: 00000014.00000002.369557700.00007FFFEF941000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFFEF940000, based on PE: true
                        • Associated: 00000014.00000002.369546325.00007FFFEF940000.00000002.00000001.01000000.0000000B.sdmpDownload File
                        • Associated: 00000014.00000002.369619058.00007FFFEF9C3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                        • Associated: 00000014.00000002.369633096.00007FFFEF9D6000.00000004.00000001.01000000.0000000B.sdmpDownload File
                        • Associated: 00000014.00000002.369642757.00007FFFEF9D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_20_2_7fffef940000_MDMAppInstaller.jbxd
                        Yara matches
                        Similarity
                        • API ID: Close$EnumOpen
                        • String ID:
                        • API String ID: 138425441-0
                        • Opcode ID: 3cdd611345af505d133f9999f88c74f8899e9b88f25e4e4ef3f43a56ead5f8f0
                        • Instruction ID: e682346fb04877a5828ddc9d4a2aac84035caabd99871d40e97d9443b3cc5207
                        • Opcode Fuzzy Hash: 3cdd611345af505d133f9999f88c74f8899e9b88f25e4e4ef3f43a56ead5f8f0
                        • Instruction Fuzzy Hash: E5C17321B1DA8142EA619F55E8407BE73D0EF857B0F584235EAED477CDDE2CE8458B02
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFEF97C970 Relevance: 4.6, APIs: 3, Instructions: 107COMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Memory Dump Source
                        • Source File: 00000014.00000002.369557700.00007FFFEF941000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFFEF940000, based on PE: true
                        • Associated: 00000014.00000002.369546325.00007FFFEF940000.00000002.00000001.01000000.0000000B.sdmpDownload File
                        • Associated: 00000014.00000002.369619058.00007FFFEF9C3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                        • Associated: 00000014.00000002.369633096.00007FFFEF9D6000.00000004.00000001.01000000.0000000B.sdmpDownload File
                        • Associated: 00000014.00000002.369642757.00007FFFEF9D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_20_2_7fffef940000_MDMAppInstaller.jbxd
                        Yara matches
                        Similarity
                        • API ID: Module$BaseEnumInformationModulesNameProcess
                        • String ID:
                        • API String ID: 2890305978-0
                        • Opcode ID: 6fe6501b3cf8efc8336ef8ee7159eabd25bf175a673bbda21e53829556319e89
                        • Instruction ID: a096486e3eee2ecaaa4e658f4b983f77694bab96515cc0bb8b19ac9972c14a76
                        • Opcode Fuzzy Hash: 6fe6501b3cf8efc8336ef8ee7159eabd25bf175a673bbda21e53829556319e89
                        • Instruction Fuzzy Hash: 81415C22B156918AEB58EFB1E8513ED23A1BB847A8F444036EE8D577CEDF38D505C341
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFEF9ACF10 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 75COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1553 7fffef9acf10-7fffef9acf60 call 7fffef987770 1556 7fffef9acf62 1553->1556 1557 7fffef9acf66-7fffef9acf7b call 7fffef989ad0 1553->1557 1556->1557 1560 7fffef9acf7d-7fffef9acf95 1557->1560 1561 7fffef9acf9c-7fffef9acfb5 call 7fffef989ad0 1557->1561 1560->1561 1565 7fffef9acf97-7fffef9acf9a 1560->1565 1566 7fffef9acfb7-7fffef9acfcb GetExitCodeProcess 1561->1566 1567 7fffef9acff6-7fffef9ad008 call 7fffef989ad0 1561->1567 1569 7fffef9ad017-7fffef9ad034 call 7fffef9875b0 1565->1569 1570 7fffef9acfcd-7fffef9acfd4 call 7fffef98d730 1566->1570 1571 7fffef9acfd6-7fffef9acfe1 1566->1571 1578 7fffef9ad00a 1567->1578 1579 7fffef9ad014 1567->1579 1570->1567 1570->1571 1571->1567 1573 7fffef9acfe3-7fffef9acff4 call 7fffef9877b0 1571->1573 1573->1579 1578->1579 1579->1569
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000014.00000002.369557700.00007FFFEF941000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFFEF940000, based on PE: true
                        • Associated: 00000014.00000002.369546325.00007FFFEF940000.00000002.00000001.01000000.0000000B.sdmpDownload File
                        • Associated: 00000014.00000002.369619058.00007FFFEF9C3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                        • Associated: 00000014.00000002.369633096.00007FFFEF9D6000.00000004.00000001.01000000.0000000B.sdmpDownload File
                        • Associated: 00000014.00000002.369642757.00007FFFEF9D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_20_2_7fffef940000_MDMAppInstaller.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseCodeExitProcess
                        • String ID: 0
                        • API String ID: 1252061823-4108050209
                        • Opcode ID: cb11fa81130d0d5d3c3410b4fb5ef1e114606a7825ecf62a16f4a20f8441ee8c
                        • Instruction ID: 6b1b623c4354a137435e5adbd557c63f9ab9eebd3884a3cad62494f056c69788
                        • Opcode Fuzzy Hash: cb11fa81130d0d5d3c3410b4fb5ef1e114606a7825ecf62a16f4a20f8441ee8c
                        • Instruction Fuzzy Hash: DF3146326186C286EB719F51E8403AE76A0FB84364F544035EBCE47AD9EF3CD545CB45
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFEF99F550 Relevance: 3.1, APIs: 2, Instructions: 141COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1841 7fffef99f550-7fffef99f585 call 7fffef983360 1844 7fffef99f587-7fffef99f5a4 call 7fffef986bf0 call 7fffef982fa0 call 7fffef980e20 1841->1844 1845 7fffef99f5a9-7fffef99f5ab 1841->1845 1844->1845 1846 7fffef99f5cc-7fffef99f5de call 7fffef989ad0 1845->1846 1847 7fffef99f5ad-7fffef99f5b2 1845->1847 1857 7fffef99f5e0-7fffef99f5ee 1846->1857 1858 7fffef99f5ff 1846->1858 1849 7fffef99f5c7 1847->1849 1850 7fffef99f5b4-7fffef99f5b7 1847->1850 1849->1846 1853 7fffef99f5b9-7fffef99f5be 1850->1853 1854 7fffef99f5c0-7fffef99f5c5 1850->1854 1853->1846 1854->1846 1867 7fffef99f5f9-7fffef99f5fd 1857->1867 1868 7fffef99f5f0-7fffef99f5f7 call 7fffef98d730 1857->1868 1860 7fffef99f602-7fffef99f610 1858->1860 1862 7fffef99f672-7fffef99f67f 1860->1862 1863 7fffef99f612-7fffef99f624 1860->1863 1865 7fffef99f691 1862->1865 1866 7fffef99f681-7fffef99f683 1862->1866 1863->1862 1869 7fffef99f697-7fffef99f6ad call 7fffef989ad0 1865->1869 1870 7fffef99f689-7fffef99f68f 1866->1870 1871 7fffef99f685-7fffef99f687 1866->1871 1867->1860 1868->1858 1868->1867 1876 7fffef99f6af-7fffef99f6d1 CreateFileW 1869->1876 1877 7fffef99f6d3 1869->1877 1870->1869 1871->1869 1878 7fffef99f6d5-7fffef99f6ef call 7fffef9877b0 call 7fffef9875b0 1876->1878 1877->1878 1883 7fffef99f6fb-7fffef99f702 1878->1883 1884 7fffef99f6f1-7fffef99f6f9 call 7fffef98d730 1878->1884 1886 7fffef99f704-7fffef99f716 call 7fffef989ad0 1883->1886 1887 7fffef99f725-7fffef99f749 call 7fffef986d10 call 7fffef989ad0 1883->1887 1891 7fffef99f75c-7fffef99f77b 1884->1891 1886->1887 1896 7fffef99f718-7fffef99f721 1886->1896 1887->1891 1898 7fffef99f74b-7fffef99f75a SetFileTime 1887->1898 1896->1887 1898->1891
                        Memory Dump Source
                        • Source File: 00000014.00000002.369557700.00007FFFEF941000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFFEF940000, based on PE: true
                        • Associated: 00000014.00000002.369546325.00007FFFEF940000.00000002.00000001.01000000.0000000B.sdmpDownload File
                        • Associated: 00000014.00000002.369619058.00007FFFEF9C3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                        • Associated: 00000014.00000002.369633096.00007FFFEF9D6000.00000004.00000001.01000000.0000000B.sdmpDownload File
                        • Associated: 00000014.00000002.369642757.00007FFFEF9D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_20_2_7fffef940000_MDMAppInstaller.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 2f6d19f31b6694c0a71228a85886c7f0685ab46206413fc2dbfe68e670c2c6b7
                        • Instruction ID: e0f8c197fedbbdd4d3a458548577bbb56ddb18044d1b5157e7c85eb8410f0e21
                        • Opcode Fuzzy Hash: 2f6d19f31b6694c0a71228a85886c7f0685ab46206413fc2dbfe68e670c2c6b7
                        • Instruction Fuzzy Hash: 8A51F321B1878242EA649E61AC403BEA2D1FF847A8F554435DADE07BEDDE3ED8018703
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFEF99F7A0 Relevance: 3.1, APIs: 2, Instructions: 115fileCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Memory Dump Source
                        • Source File: 00000014.00000002.369557700.00007FFFEF941000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFFEF940000, based on PE: true
                        • Associated: 00000014.00000002.369546325.00007FFFEF940000.00000002.00000001.01000000.0000000B.sdmpDownload File
                        • Associated: 00000014.00000002.369619058.00007FFFEF9C3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                        • Associated: 00000014.00000002.369633096.00007FFFEF9D6000.00000004.00000001.01000000.0000000B.sdmpDownload File
                        • Associated: 00000014.00000002.369642757.00007FFFEF9D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_20_2_7fffef940000_MDMAppInstaller.jbxd
                        Yara matches
                        Similarity
                        • API ID: File$PointerRead
                        • String ID:
                        • API String ID: 3154509469-0
                        • Opcode ID: 7fd3c55463338311752a020d23ac2f0f41058c94e64903b16c6e49319b63b806
                        • Instruction ID: 855ac7279c3e06814f1b4fc46a37e65f3df3f91d2223e3ddc97cf874a1f75208
                        • Opcode Fuzzy Hash: 7fd3c55463338311752a020d23ac2f0f41058c94e64903b16c6e49319b63b806
                        • Instruction Fuzzy Hash: DF41A521F1868183EA94AF25A84067EA3D5EF847A4F550135EACE47BEDDF3CD402CB42
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFEF9A2810 Relevance: 3.1, APIs: 2, Instructions: 76registryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • RegQueryValueExA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFFEF98961D), ref: 00007FFFEF9A2885
                        • RegQueryValueExA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFFEF98961D), ref: 00007FFFEF9A28E8
                        Memory Dump Source
                        • Source File: 00000014.00000002.369557700.00007FFFEF941000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFFEF940000, based on PE: true
                        • Associated: 00000014.00000002.369546325.00007FFFEF940000.00000002.00000001.01000000.0000000B.sdmpDownload File
                        • Associated: 00000014.00000002.369619058.00007FFFEF9C3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                        • Associated: 00000014.00000002.369633096.00007FFFEF9D6000.00000004.00000001.01000000.0000000B.sdmpDownload File
                        • Associated: 00000014.00000002.369642757.00007FFFEF9D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_20_2_7fffef940000_MDMAppInstaller.jbxd
                        Yara matches
                        Similarity
                        • API ID: QueryValue
                        • String ID:
                        • API String ID: 3660427363-0
                        • Opcode ID: 505d3e8216d65752d9c9970fe8de9b0105d3b943a84e5339b5d033298b12e6c9
                        • Instruction ID: a90eb8c8479192c9b8c8de0a8b07d349e36278d138c6efcccc94807077ea9517
                        • Opcode Fuzzy Hash: 505d3e8216d65752d9c9970fe8de9b0105d3b943a84e5339b5d033298b12e6c9
                        • Instruction Fuzzy Hash: F0218227B19A9146EA548F55A80022EA791EF84BB4F084131EE9D07BD8DE7CD481CB41
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFEF9AD1E0 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000014.00000002.369557700.00007FFFEF941000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFFEF940000, based on PE: true
                        • Associated: 00000014.00000002.369546325.00007FFFEF940000.00000002.00000001.01000000.0000000B.sdmpDownload File
                        • Associated: 00000014.00000002.369619058.00007FFFEF9C3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                        • Associated: 00000014.00000002.369633096.00007FFFEF9D6000.00000004.00000001.01000000.0000000B.sdmpDownload File
                        • Associated: 00000014.00000002.369642757.00007FFFEF9D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_20_2_7fffef940000_MDMAppInstaller.jbxd
                        Yara matches
                        Similarity
                        • API ID: Process$CodeExitFullImageNameQuery
                        • String ID:
                        • API String ID: 2650637187-0
                        • Opcode ID: 86e65a3c246def4f8901ccaa55fa121760af4466330051fbacb23bc8256e741e
                        • Instruction ID: beda20934c0be8ef17a8afe5e88753e5fbc525a191c1761d79e1708a1b139921
                        • Opcode Fuzzy Hash: 86e65a3c246def4f8901ccaa55fa121760af4466330051fbacb23bc8256e741e
                        • Instruction Fuzzy Hash: 01415172A18A4696EB54AF21E8513BD7391EF94BA8F401032EA8E476DDDF3CD841C781
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFEF97B850 Relevance: 1.6, APIs: 1, Instructions: 76threadCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00007FFFEF97C6F0: GlobalAddAtomW.KERNEL32(?,?,?,?,?,?,00000000,00007FFFEF979747,?,?,00000000,00000000,00000000,00007FFFEF979903), ref: 00007FFFEF97C725
                        • RtlQueueApcWow64Thread.NTDLL(?,?,00000000,?,00000000,00007FFFEF97BA4B), ref: 00007FFFEF97B8E0
                        Memory Dump Source
                        • Source File: 00000014.00000002.369557700.00007FFFEF941000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFFEF940000, based on PE: true
                        • Associated: 00000014.00000002.369546325.00007FFFEF940000.00000002.00000001.01000000.0000000B.sdmpDownload File
                        • Associated: 00000014.00000002.369619058.00007FFFEF9C3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                        • Associated: 00000014.00000002.369633096.00007FFFEF9D6000.00000004.00000001.01000000.0000000B.sdmpDownload File
                        • Associated: 00000014.00000002.369642757.00007FFFEF9D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_20_2_7fffef940000_MDMAppInstaller.jbxd
                        Yara matches
                        Similarity
                        • API ID: AtomGlobalQueueThreadWow64
                        • String ID:
                        • API String ID: 1948627636-0
                        • Opcode ID: 010028c1b05b98657b650cf8e473471bf000e06ea75d08db58b48b41ecf8f072
                        • Instruction ID: 621a48392684147baed21fa68830e87286b2f60ab4b0380b2f5639badfa09d45
                        • Opcode Fuzzy Hash: 010028c1b05b98657b650cf8e473471bf000e06ea75d08db58b48b41ecf8f072
                        • Instruction Fuzzy Hash: 98218011B0976245E614EE276C412BF92C1AF85BE4F480435BECD97BCEDE3CE4029341
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFEF97C6F0 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                        Download Yara Rule
                        APIs
                        • GlobalAddAtomW.KERNEL32(?,?,?,?,?,?,00000000,00007FFFEF979747,?,?,00000000,00000000,00000000,00007FFFEF979903), ref: 00007FFFEF97C725
                        Memory Dump Source
                        • Source File: 00000014.00000002.369557700.00007FFFEF941000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFFEF940000, based on PE: true
                        • Associated: 00000014.00000002.369546325.00007FFFEF940000.00000002.00000001.01000000.0000000B.sdmpDownload File
                        • Associated: 00000014.00000002.369619058.00007FFFEF9C3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                        • Associated: 00000014.00000002.369633096.00007FFFEF9D6000.00000004.00000001.01000000.0000000B.sdmpDownload File
                        • Associated: 00000014.00000002.369642757.00007FFFEF9D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_20_2_7fffef940000_MDMAppInstaller.jbxd
                        Yara matches
                        Similarity
                        • API ID: AtomGlobal
                        • String ID:
                        • API String ID: 2189174293-0
                        • Opcode ID: d74e24e345fd7d646edc5eb2f3f156c06b8cd08cf4e3823cbbd88ee7d2482df1
                        • Instruction ID: 38f5d18d474ffe0776e347c737d814848d86541df9be5842457de1ccaffa491b
                        • Opcode Fuzzy Hash: d74e24e345fd7d646edc5eb2f3f156c06b8cd08cf4e3823cbbd88ee7d2482df1
                        • Instruction Fuzzy Hash: 69110812F0979142EA54AF6268511BE63C1AFC8BE4F4C4035EACD4BBCEEE2CD4018741
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFEF9A1490 Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                        Download Yara Rule
                        APIs
                        • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 00007FFFEF9A14EB
                        Memory Dump Source
                        • Source File: 00000014.00000002.369557700.00007FFFEF941000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFFEF940000, based on PE: true
                        • Associated: 00000014.00000002.369546325.00007FFFEF940000.00000002.00000001.01000000.0000000B.sdmpDownload File
                        • Associated: 00000014.00000002.369619058.00007FFFEF9C3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                        • Associated: 00000014.00000002.369633096.00007FFFEF9D6000.00000004.00000001.01000000.0000000B.sdmpDownload File
                        • Associated: 00000014.00000002.369642757.00007FFFEF9D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_20_2_7fffef940000_MDMAppInstaller.jbxd
                        Yara matches
                        Similarity
                        • API ID: DescriptorSecurity$ConvertString
                        • String ID:
                        • API String ID: 3907675253-0
                        • Opcode ID: 512f313be00f819fec3ec57203f9621932ce3d26650fa1bd96bd1172d00ec909
                        • Instruction ID: bf7497f41e57983a3397e3fa68549e2ff9267003d58d19d203108c0e8834e00e
                        • Opcode Fuzzy Hash: 512f313be00f819fec3ec57203f9621932ce3d26650fa1bd96bd1172d00ec909
                        • Instruction Fuzzy Hash: 38218032A18B8282EB109F65E5402AD73E1FF84B94F844436EB8D07B99EF78E511CB45
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFEF99F629 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
                        Download Yara Rule
                        APIs
                        • CreateFileW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,-0000006C,00007FFFEF99F9E1), ref: 00007FFFEF99F6CC
                        Memory Dump Source
                        • Source File: 00000014.00000002.369557700.00007FFFEF941000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFFEF940000, based on PE: true
                        • Associated: 00000014.00000002.369546325.00007FFFEF940000.00000002.00000001.01000000.0000000B.sdmpDownload File
                        • Associated: 00000014.00000002.369619058.00007FFFEF9C3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                        • Associated: 00000014.00000002.369633096.00007FFFEF9D6000.00000004.00000001.01000000.0000000B.sdmpDownload File
                        • Associated: 00000014.00000002.369642757.00007FFFEF9D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_20_2_7fffef940000_MDMAppInstaller.jbxd
                        Yara matches
                        Similarity
                        • API ID: CreateFile
                        • String ID:
                        • API String ID: 823142352-0
                        • Opcode ID: 9933a6296932c9aaeac43b8e72c576d6d43d9e66245f160a84ba2bfbc0e42396
                        • Instruction ID: e83f279d03e74ae3f941a2ac760ca1ba3887cbdb60ab2a5e0622597d1f21e8dd
                        • Opcode Fuzzy Hash: 9933a6296932c9aaeac43b8e72c576d6d43d9e66245f160a84ba2bfbc0e42396
                        • Instruction Fuzzy Hash: F511C122E1878A42E6709F10A8417BEA3D4FB847A8F550135DBEE07BE9DF3DE4458742
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFEF99F642 Relevance: 1.6, APIs: 1, Instructions: 51filetimeCOMMON
                        Download Yara Rule
                        APIs
                        • CreateFileW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,-0000006C,00007FFFEF99F9E1), ref: 00007FFFEF99F6CC
                        • SetFileTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,-0000006C,00007FFFEF99F9E1), ref: 00007FFFEF99F75A
                        Memory Dump Source
                        • Source File: 00000014.00000002.369557700.00007FFFEF941000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFFEF940000, based on PE: true
                        • Associated: 00000014.00000002.369546325.00007FFFEF940000.00000002.00000001.01000000.0000000B.sdmpDownload File
                        • Associated: 00000014.00000002.369619058.00007FFFEF9C3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                        • Associated: 00000014.00000002.369633096.00007FFFEF9D6000.00000004.00000001.01000000.0000000B.sdmpDownload File
                        • Associated: 00000014.00000002.369642757.00007FFFEF9D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_20_2_7fffef940000_MDMAppInstaller.jbxd
                        Yara matches
                        Similarity
                        • API ID: File$CreateTime
                        • String ID:
                        • API String ID: 1043708186-0
                        • Opcode ID: ab920c4048ecd73485d9a24abe9911eec550e0ad73fe64493c44082e69fe9c96
                        • Instruction ID: 40987514dadcec9bccc4890e8c585b845eb57551614331352d21cc4b6a5ff1b5
                        • Opcode Fuzzy Hash: ab920c4048ecd73485d9a24abe9911eec550e0ad73fe64493c44082e69fe9c96
                        • Instruction Fuzzy Hash: 95110622A1838642E7609F1168003BEB3D5FB847A8F5A0135DBEE077E9DF3CD4418742
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFEF99EC70 Relevance: 1.6, APIs: 1, Instructions: 51fileCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000014.00000002.369557700.00007FFFEF941000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFFEF940000, based on PE: true
                        • Associated: 00000014.00000002.369546325.00007FFFEF940000.00000002.00000001.01000000.0000000B.sdmpDownload File
                        • Associated: 00000014.00000002.369619058.00007FFFEF9C3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                        • Associated: 00000014.00000002.369633096.00007FFFEF9D6000.00000004.00000001.01000000.0000000B.sdmpDownload File
                        • Associated: 00000014.00000002.369642757.00007FFFEF9D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_20_2_7fffef940000_MDMAppInstaller.jbxd
                        Yara matches
                        Similarity
                        • API ID: FileFindNext
                        • String ID:
                        • API String ID: 2029273394-0
                        • Opcode ID: 26ebda7149b16bce636ef64988408f2f4fd758443eccbcd7e202da9d4eacb6a9
                        • Instruction ID: b637d1f9847d77040e77ca76fd73d4b28167f90a788ef9936e20d9355f75c5e8
                        • Opcode Fuzzy Hash: 26ebda7149b16bce636ef64988408f2f4fd758443eccbcd7e202da9d4eacb6a9
                        • Instruction Fuzzy Hash: 55117061A1828282FB64AE35950137D23E1DF507A8F065475DECC472DDFF2DE891C762
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFEF99F658 Relevance: 1.6, APIs: 1, Instructions: 50filetimeCOMMON
                        Download Yara Rule
                        APIs
                        • CreateFileW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,-0000006C,00007FFFEF99F9E1), ref: 00007FFFEF99F6CC
                        • SetFileTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,-0000006C,00007FFFEF99F9E1), ref: 00007FFFEF99F75A
                        Memory Dump Source
                        • Source File: 00000014.00000002.369557700.00007FFFEF941000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFFEF940000, based on PE: true
                        • Associated: 00000014.00000002.369546325.00007FFFEF940000.00000002.00000001.01000000.0000000B.sdmpDownload File
                        • Associated: 00000014.00000002.369619058.00007FFFEF9C3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                        • Associated: 00000014.00000002.369633096.00007FFFEF9D6000.00000004.00000001.01000000.0000000B.sdmpDownload File
                        • Associated: 00000014.00000002.369642757.00007FFFEF9D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_20_2_7fffef940000_MDMAppInstaller.jbxd
                        Yara matches
                        Similarity
                        • API ID: File$CreateTime
                        • String ID:
                        • API String ID: 1043708186-0
                        • Opcode ID: e80f8483cf94c30f6301f3d3c985100ccdfca77954115487aecc5a17041d3c9f
                        • Instruction ID: 398c3bf7bac49ef34a8390b4d4bf7053997b4cabb0712703d17bd4c74f1386aa
                        • Opcode Fuzzy Hash: e80f8483cf94c30f6301f3d3c985100ccdfca77954115487aecc5a17041d3c9f
                        • Instruction Fuzzy Hash: C911C222A1838A42E6709F1168417BEA3D5FB847A8F590135DBEE07BE9DF3CD441C742
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFEF99F668 Relevance: 1.5, APIs: 1, Instructions: 47filetimeCOMMON
                        Download Yara Rule
                        APIs
                        • CreateFileW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,-0000006C,00007FFFEF99F9E1), ref: 00007FFFEF99F6CC
                        • SetFileTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,-0000006C,00007FFFEF99F9E1), ref: 00007FFFEF99F75A
                        Memory Dump Source
                        • Source File: 00000014.00000002.369557700.00007FFFEF941000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFFEF940000, based on PE: true
                        • Associated: 00000014.00000002.369546325.00007FFFEF940000.00000002.00000001.01000000.0000000B.sdmpDownload File
                        • Associated: 00000014.00000002.369619058.00007FFFEF9C3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                        • Associated: 00000014.00000002.369633096.00007FFFEF9D6000.00000004.00000001.01000000.0000000B.sdmpDownload File
                        • Associated: 00000014.00000002.369642757.00007FFFEF9D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_20_2_7fffef940000_MDMAppInstaller.jbxd
                        Yara matches
                        Similarity
                        • API ID: File$CreateTime
                        • String ID:
                        • API String ID: 1043708186-0
                        • Opcode ID: 6e284fec9c092ab559da79d84b2b54fba405a3312493b2d376a7f6576a005246
                        • Instruction ID: 40b3cf151f969cce06fe4b81694455d1ce8cd013e684f4bb2a30bf55bd0ec3d0
                        • Opcode Fuzzy Hash: 6e284fec9c092ab559da79d84b2b54fba405a3312493b2d376a7f6576a005246
                        • Instruction Fuzzy Hash: E301A122A1878A42E6709F11B8007BEA3D4FB847A8F590135DBEE07BE9DF3DD4418742
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFEF9A26A0 Relevance: 1.5, APIs: 1, Instructions: 44registryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000014.00000002.369557700.00007FFFEF941000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFFEF940000, based on PE: true
                        • Associated: 00000014.00000002.369546325.00007FFFEF940000.00000002.00000001.01000000.0000000B.sdmpDownload File
                        • Associated: 00000014.00000002.369619058.00007FFFEF9C3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                        • Associated: 00000014.00000002.369633096.00007FFFEF9D6000.00000004.00000001.01000000.0000000B.sdmpDownload File
                        • Associated: 00000014.00000002.369642757.00007FFFEF9D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_20_2_7fffef940000_MDMAppInstaller.jbxd
                        Yara matches
                        Similarity
                        • API ID: EnumValue
                        • String ID:
                        • API String ID: 2814608202-0
                        • Opcode ID: af68b27f32d806152594ea98ebc8f2426a04b51a09888dca3b9f639ab6fe49d2
                        • Instruction ID: 2ec99f88e387c12e100fd7e11c1a0f771f886a32b539f129556b5c4dbfcff09d
                        • Opcode Fuzzy Hash: af68b27f32d806152594ea98ebc8f2426a04b51a09888dca3b9f639ab6fe49d2
                        • Instruction Fuzzy Hash: B0112E76608B8586D7609F11F84069EB7A4F788B90F698139EBDD43B48DF38E991CB04
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFEF9870F0 Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000014.00000002.369557700.00007FFFEF941000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFFEF940000, based on PE: true
                        • Associated: 00000014.00000002.369546325.00007FFFEF940000.00000002.00000001.01000000.0000000B.sdmpDownload File
                        • Associated: 00000014.00000002.369619058.00007FFFEF9C3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                        • Associated: 00000014.00000002.369633096.00007FFFEF9D6000.00000004.00000001.01000000.0000000B.sdmpDownload File
                        • Associated: 00000014.00000002.369642757.00007FFFEF9D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_20_2_7fffef940000_MDMAppInstaller.jbxd
                        Yara matches
                        Similarity
                        • API ID: CreateHeap
                        • String ID:
                        • API String ID: 10892065-0
                        • Opcode ID: 7e47ca28742369fe6618816808a4c8b1d75f0f49f581dd722c821a23b829cda3
                        • Instruction ID: 19b8926953aac9aa8faf661ea7278cf75e16b45ed8570776e9ae68a74c48da44
                        • Opcode Fuzzy Hash: 7e47ca28742369fe6618816808a4c8b1d75f0f49f581dd722c821a23b829cda3
                        • Instruction Fuzzy Hash: 5C01DF21A2868182E6A08F10FD5176967E1EF8A7E4F188034DACD0ABD9EE3CD410C702
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFEF9894A0 Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000014.00000002.369557700.00007FFFEF941000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFFEF940000, based on PE: true
                        • Associated: 00000014.00000002.369546325.00007FFFEF940000.00000002.00000001.01000000.0000000B.sdmpDownload File
                        • Associated: 00000014.00000002.369619058.00007FFFEF9C3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                        • Associated: 00000014.00000002.369633096.00007FFFEF9D6000.00000004.00000001.01000000.0000000B.sdmpDownload File
                        • Associated: 00000014.00000002.369642757.00007FFFEF9D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_20_2_7fffef940000_MDMAppInstaller.jbxd
                        Yara matches
                        Similarity
                        • API ID: ComputerName
                        • String ID:
                        • API String ID: 3545744682-0
                        • Opcode ID: dae9426cc7fa4538d72034ffd323e9bcfc8febbe287244ac524ecd089ce4f1d2
                        • Instruction ID: c7131cc76c67c8a8824c4390e9d26ef4cdda7ab454c6970724d028f0fe70f9d5
                        • Opcode Fuzzy Hash: dae9426cc7fa4538d72034ffd323e9bcfc8febbe287244ac524ecd089ce4f1d2
                        • Instruction Fuzzy Hash: 84010C61A2868282EA10EF55EC513BE63A1FFC47A4F405031E9CE476DFDE2CE145CB52
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFEF989400 Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000014.00000002.369557700.00007FFFEF941000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFFEF940000, based on PE: true
                        • Associated: 00000014.00000002.369546325.00007FFFEF940000.00000002.00000001.01000000.0000000B.sdmpDownload File
                        • Associated: 00000014.00000002.369619058.00007FFFEF9C3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                        • Associated: 00000014.00000002.369633096.00007FFFEF9D6000.00000004.00000001.01000000.0000000B.sdmpDownload File
                        • Associated: 00000014.00000002.369642757.00007FFFEF9D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_20_2_7fffef940000_MDMAppInstaller.jbxd
                        Yara matches
                        Similarity
                        • API ID: NameUser
                        • String ID:
                        • API String ID: 2645101109-0
                        • Opcode ID: 777dd043744d51b6d3a4fcfa2d8d874728e01efd602bf01918b2909646d13b8d
                        • Instruction ID: 0c17cf9a922fa72abd18f127ee471b092de2d5b9a9e11914351b2de8b88a051a
                        • Opcode Fuzzy Hash: 777dd043744d51b6d3a4fcfa2d8d874728e01efd602bf01918b2909646d13b8d
                        • Instruction Fuzzy Hash: 3301D761A2868292EA10EF55EC513AE53A1BFC47A4F805031E9CE076DFDE2CE1058B52
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00007FFFEF987190 Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000014.00000002.369557700.00007FFFEF941000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFFEF940000, based on PE: true
                        • Associated: 00000014.00000002.369546325.00007FFFEF940000.00000002.00000001.01000000.0000000B.sdmpDownload File
                        • Associated: 00000014.00000002.369619058.00007FFFEF9C3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                        • Associated: 00000014.00000002.369633096.00007FFFEF9D6000.00000004.00000001.01000000.0000000B.sdmpDownload File
                        • Associated: 00000014.00000002.369642757.00007FFFEF9D8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_20_2_7fffef940000_MDMAppInstaller.jbxd
                        Yara matches
                        Similarity
                        • API ID: PrivilegeRelease
                        • String ID:
                        • API String ID: 113639715-0
                        • Opcode ID: 4cc1cfa08cb3aa26b208f28932105458a4a2f75863f8a1a8a56e0b8e89d82dcb
                        • Instruction ID: fa2f21c4e4e1a6ef7724756b32bc859a8dcde5104cf4512a4ffed0b74d800b4a
                        • Opcode Fuzzy Hash: 4cc1cfa08cb3aa26b208f28932105458a4a2f75863f8a1a8a56e0b8e89d82dcb
                        • Instruction Fuzzy Hash: 43F05E01F2928201FEB85BA15C513790AC25FC5760F6C8434C89D4A7DDED2DE945C323
                        Uniqueness

                        Uniqueness Score: -1.00%